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FOREWORD 


Military  cyberspace  operations  have  been  ongoing 
since  before  the  advent  of  the  Internet,  and  their  in¬ 
fluence  on  traditional  military  operations  continues  to 
increase.  What  are  the  significant  changes  in  mission 
and  structure  of  Department  of  Defense  offensive  and 
defensive  cyberspace  activities  over  the  past  decade? 
How  do  joint  and  Army  cyberspace  military  opera¬ 
tions  fit  into  the  complex  and  dynamic  sphere  of  daily 
network  defense  as  well  as  international  deterrence 
and  escalation? 

To  facilitate  the  operationalization  of  this  new  do¬ 
main,  education  of  the  tenets  of  cyberspace  must  oc¬ 
cur  at  the  tactical,  operational,  and  strategic  levels  of 
leadership.  The  persistent  increase  of  cyberspace  ac¬ 
tivities  in  global  events  continues  to  make  internation¬ 
al  dynamics  more  complex.  The  scope  of  context  for 
such  matters  needs  to  consider  not  just  other  military 
efforts  or  even  other  instruments  of  national  power, 
but  how  they  are  presented  in  an  escalation  frame¬ 
work  and  where  they  may  be  going. 

This  monograph  posits  that  expanding  deterrence 
forces  to  include  conventional  strike  and  cyber  offense 
can  add  capability  and  credibility,  as  well  as  flexibility, 
to  course-of-action  development  available  for  national 
command  authorities.  It  also  argues  that  cyberspace 
operations,  such  as  automated  cyber  defense,  can  sup¬ 
port  and  enhance  deterrence  operations  and  limited 
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conflict  as  well  as  help  control  escalation  and 
reduce  risk. 


DOUGLAS  C.  LOVELACE,  JR. 


Director 

Strategic  Studies  Institute  and 
U.S.  Army  War  College  Press 
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SUMMARY 


Military  cyberspace  operations  have  been  ongoing 
since  before  the  advent  of  the  Internet.  Such  operations 
have  evolved  significantly  over  the  past  2  decades  and 
are  now  emerging  into  the  realm  of  military  opera¬ 
tions  in  the  traditional  domains  of  land,  sea,  and  air. 
The  goal  of  this  monograph  is  to  provide  senior  poli¬ 
cymakers,  decisionmakers,  military  leaders,  and  their 
respective  staffs  with  a  better  understanding  of  Army 
cyberspace  operations  within  the  context  of  overall 
U.S.  military  cyberspace  operations.  It  first  looks  at  the 
evolution  of  Department  of  Defense  (DoD)  cyberspace 
operations  over  the  past  decade.  Next,  it  examines  the 
evolution  of  the  Army  implementation  of  cyberspace 
operations.  Finally,  it  explores  the  role  of  cyberspace 
operations  in  the  escalation  of  international  conflict. 

The  scope  of  discussion  is  at  the  survey  level  of 
detail  to  provide  an  overall  appreciation  for  the  com¬ 
plex  and  dynamic  nature  of  evolving  cyberspace  op¬ 
erations.  It  is  limited  to  unclassified  and  open  source 
information;  any  classified  discussion  must  occur  at 
an  appropriate  venue.  Although  the  details  contained 
herein  are  largely  focused  on  military  applications, 
the  reader  must  realize  that  whole-of-government  ef¬ 
forts  are  essential  for  the  successful  implementation  of 
national  security  efforts  in  cyberspace. 

This  monograph  has  three  main  sections: 

•  Evolution  of  Military  Cyberspace  Operations. 
This  section  examines  the  founding  of  U.S.  Cy¬ 
ber  Command  from  its  roots  in  various  mili¬ 
tary  units  focused  on  defensive  and  offensive 
cyberspace  operations.  It  reviews  the  initial  op¬ 
eration  of  the  command  under  the  leadership 
of  General  Keith  Alexander  as  well  as  its  cur- 


IX 


rent  operations  led  by  Admiral  Michael  Rog¬ 
ers.  Also,  it  assesses  the  command's  mission 
to  direct  operations,  defend  networks,  and,  on 
order,  conduct  full  spectrum  operations,  with 
respect  to  its  appropriateness  and  adeptness 
for  the  command  and  control  of  military  cyber¬ 
space  forces. 

Evolution  of  Army  Cyberspace  Operations. 
Having  examined  the  evolution  of  joint  cyber¬ 
space  operations,  this  section  focuses  on  par¬ 
allel  evolutionary  efforts  in  Army  cyberspace 
operations  toward  the  establishment  of  Army 
Cyber  Command.  It  examines  initial  operations 
of  the  command  under  the  leadership  of  Lieu¬ 
tenant  General  Rhett  Hernandez  as  well  as  its 
current  operations  led  by  Lieutenant  General 
Edward  Cardon.  This  includes  a  brief  review  of 
recent  efforts  to  establish  Lort  Gordon,  Georgia 
as  the  center  of  gravity  for  Army  cyberspace 
activities. 

Cyberspace  Operations  in  a  Global  Context. 
This  section  examines  the  sufficiency  of  the 
current  cyberspace  force  structure  to  address 
an  international  environment  of  multiple  actors 
interacting  with  varying  degrees  of  tension.  In 
such  a  global  situation,  cyberspace  operations 
seeking  to  produce  certain  effects  must  also  be 
examined  for  their  potential  to  cause  escalation 
of  activities;  possibly  even  up  to  the  point  of 
existential  threat.  The  section  presents  a  modi¬ 
fied  Kahn  escalation  ladder  as  a  useful  meta¬ 
phor  to  explore  how  cyberspace  activities  may 
integrate  with  traditional  military  operations 
across  the  spectrum  of  international  conflict  as 
well  as  how  such  defenses  influence  national 
responses  related  to  deterrence  and  escalation. 


This  monograph  examines  the  past  and  present 
joint  and  Army  cyberspace  military  operations,  as 
well  as  how  these  operations  may  fit  into  the  complex 
and  dynamic  sphere  of  international  deterrence  and 
escalation.  To  facilitate  the  best  evolutionary  path  for 
future  activities,  it  provides  recommendations  in  the 
areas  of  current  priorities,  authorities,  strategic  en¬ 
gagement,  multi-role  modeling,  and  other  paradigms 
and  factors  to  consider  in  future  examinations  of 
the  topic. 
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AUTHOR'S  NOTE 


When  this  monograph  was  initially  completed 
in  August  2012,  the  capstone  doctrine  document  for 
U.S.  military  cyberspace  operations— Joint  Publication 
(JP)  3-12,  Joint  Cyberspace  Operations  -  was  a  classi¬ 
fied  document.  On  October  21,  2014,  the  Joint  Chiefs 
of  Staff  released  JP  3-12(R),  Cyberspace  Operations,  an 
unclassified  version  of  the  earlier  doctrine  document 
that  is  posted  on  the  unclassified  public  access  gov¬ 
ernment  website  "Joint  Electronic  Library"  (available 
from  www.dtic.mil/doctrine/).  Please  note  that  the  cover 
of  the  unclassified  version  retains  the  original  classi¬ 
fied  release  date  of  February  5,  2013,  but  its  contents 
do  not  include  an  explanatory  note  as  to  when,  how, 
and  why  this  declassification  was  made. 

In  general  terms,  the  information  in  this  monograph 
is  consistent  with  the  details  contained  in  JP  3-12(R), 
and  thus  this  monograph  has  not  been  modified  to 
assess  and  incorporate  this  recent  release.  However, 
a  diagram  from  JP  3-12  (R)  that  depicts  typical  joint 
cyberspace  command  and  control  organizational  rela¬ 
tionships  is  included  as  Figure  A-l  in  the  Appendix  to 
complement  the  information  contained  in  Figures  1,  2, 
and  3  of  this  monograph. 
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ARMY  SUPPORT  OF  MILITARY 
CYBERSPACE  OPERATIONS: 

JOINT  CONTEXTS  AND  GLOBAL 
ESCALATION  IMPLICATIONS 

Military  cyberspace  operations  have  been  ongo¬ 
ing  since  before  the  advent  of  the  Internet.  Such  op¬ 
erations  have  evolved  significantly  over  the  past  2  de¬ 
cades  and  are  now  emerging  into  the  realm  of  military 
operations  in  the  traditional  domains  of  land,  sea,  and 
air.  The  goal  of  this  monograph  is  to  provide  senior 
policymakers,  decisionmakers,  military  leaders,  and 
their  respective  staffs  with  a  better  understanding 
of  Army  cyberspace  operations  within  the  context  of 
overall  U.S.  military  cyberspace  operations.  To  ac¬ 
complish  this,  it  first  looks  at  the  evolution  of  Depart¬ 
ment  of  Defense  (DoD)  cyberspace  operations  over 
the  past  decade.  Next,  it  examines  the  evolution  of 
the  Army  implementation  of  cyberspace  operations. 
Finally,  it  explores  the  role  of  cyberspace  operations 
in  the  escalation  of  international  conflict.  The  scope  of 
discussion  is  at  the  survey  level  of  detail  to  provide 
an  overall  appreciation  for  the  complex  and  dynamic 
nature  of  evolving  cyberspace  operations.  It  is  limited 
to  unclassified  and  open  source  information;  any  clas¬ 
sified  discussion  must  occur  at  an  appropriate  venue. 
Although  the  details  contained  herein  are  largely  fo¬ 
cused  on  military  applications,  the  reader  must  realize 
that  whole-of-government  efforts  are  essential  for  the 
successful  implementation  of  national  security  efforts 
in  cyberspace. 
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EVOLUTION  OF  MILITARY  CYBERSPACE 
OPERATIONS 


This  section  examines  the  founding  of  the  U.S.  Cy¬ 
ber  Command  from  its  roots  in  various  military  units 
focused  on  defensive  and  offensive  cyberspace  opera¬ 
tions.  It  reviews  the  initial  operation  of  the  command 
under  the  leadership  of  General  Keith  Alexander  as 
well  as  its  current  operations  led  by  Admiral  Michael 
Rogers.  Also,  it  assesses  the  command's  mission  to 
direct  operations,  defend  networks,  and,  on  order, 
conduct  full  spectrum  operations  with  respect  to  its 
appropriateness  and  adeptness  for  the  command  and 
control  of  military  cyberspace  forces. 

The  Founding  of  U.S.  Cyber  Command. 

The  formal  establishment  of  military  units  dedi¬ 
cated  to  cyberspace  missions  is  mostly  a  phenomenon 
of  the  21st  century.  This  section  will  look  at  how  the 
defensive  and  offensive  aspects  of  cyberspace  op¬ 
erations  evolved  until  they  were  merged  under  U.S. 
Cyber  Command. 

Defensive  Cyberspace:  Joint  Task  Force-Global 
Network  Operations. 

In  the  last  years  of  the  20th  century,  DoD  began 
to  form  the  forerunners  of  a  dedicated  cyberspace 
force.  In  December  1998,  Secretary  of  Defense  William 
Cohen  approved  formation  of  the  Joint  Task  Force- 
Computer  Network  Defense  (JTF-CND)  to  "serve  as 
the  focal  point  with  the  Department  of  Defense  to  or¬ 
ganize  a  united  effort  to  defend  its  computer  networks 
and  systems"  based  on  needs  demonstrated  by  "de- 
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fense  exercises  and  real  world  events  in  1997  and  in 
early  1998. 'n  These  events  included  the  DoD  Eligible 
Receiver  1997  exercise  as  well  as  the  hacking  incidents 
known  as  Solar  Sunrise  and  Moonlight  Maze.2  JTF- 
CND  was  collocated  with  the  Global  Operations  and 
Security  Center  of  the  Defense  Information  Systems 
Agency  (DISA)  in  Washington,  DC,  and  was  given  the 
initial  mission  to  be  responsible  for  operations  on  DoD 
computer  systems  and  networks  as  well  as  coordinat¬ 
ing  these  efforts  with  the  interagency  and  commercial 
communities.3 

The  initial  cadre  was  small  at  10  personnel  assigned 
and  only  24  assigned  when  full  operational  capability 
was  achieved  in  June  1999.  At  first,  the  JTF-CND  was 
not  assigned  to  a  unified  command,  so  its  commander 
reported  through  the  Chairman  of  the  Joint  Chiefs  of 
Staff  to  the  Secretary  of  Defense.4  The  first  commander, 
Major  General  John  Campbell,  recognized  there  was 
no  connection  with  services  and  regional  warfighting 
commanders,  and  the  interim  command  arrangement 
evolved  quickly.5  Within  a  year,  JTF-CND  was  placed 
under  the  U.S.  Space  Command  with  responsibilities 
that  included  DoD-wide  defense  actions  to  stop  com¬ 
puter  network  attack  (CNA)  and  computer  network 
exploitation  (CNE)  efforts  and  to  mitigate  the  effects 
of  any  successful  attacks.6 

In  April  2001,  the  offensive  cyberspace  role  of  com¬ 
puter  network  attack  was  assigned  to  U.S.  Space  Com¬ 
mand,  and  the  JTF-CND  was  renamed  to  Joint  Task 
Force-Computer  Network  Operations  (JTF-CNO).7 
The  new  commander,  Major  General  James  Bryan, 
was  also  dual-hatted  as  Vice  Director,  DISA.  He  de¬ 
scribed  the  new  organization  and  reporting  structure 
to  Congress  in  May  2001: 
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Sir,  Joint  Task  Force-CNO  is,  in  fact,  that  one-stop  op¬ 
erational  command  for  the  Department  of  Defense  for 
both  offense  and  defense,  ft  is  important  to  remember 
that  we  may  be  a  one-stop  shop  for  operational  coor¬ 
dination;  but  without  the  cooperation  of  the  services 
and  the  agencies  to  include  law  enforcement  as  part 
of  one  team,  the  JTF  could  not  do  its  job  as  well  as 
we  do.  But  it  certainly  answers  the  question  as  to  who 
is  in  charge,  and  this  operational  accountability  now 
flows  from  the  President  to  the  Secretary  of  Defense  to 
General  Eberhardt,  who  is  CINCSPACE,  to  me.8 

On  January  10,  2003,  President  George  W.  Bush 
signed  Change-2  to  the  2002  Unified  Command  Plan, 
which  included  the  merging  of  U.S.  Space  Command 
and  the  existing  U.S.  Strategic  Command  into  the 
"new"  U.S.  Strategic  Command  (USSTRATCOM)  un¬ 
der  which  JTF-CNO  was  realigned.9  By  April  2004,  the 
first  Concept  of  Operations  for  network  operations 
(NetOps)  for  the  DoD  global  information  grid  (GIG) 
was  approved.  The  roles  of  defensive  and  offensive 
cyberspace  activities  were  refined  during  this  period 
such  that  in  July  2004,  Secretary  of  Defense  Donald 
Rumsfeld  changed  JTF-CNO  to  Joint  Task  Force- 
Global  Network  Operations  (JTF-GNO).10  The  first 
JTF-GNO  commander  was  the  director  of  DISA,  Lieu¬ 
tenant  General  Harry  Raduege,  Jr.,  who  later  noted: 

For  the  first  time  in  network  operations  and  cybersecu¬ 
rity  history,  command  lines  were  established  from  the 
secretary  of  defense  to  the  STRATCOM  commander, 
to  the  JTF-GNO  commander,  to  each  of  the  appointed 
component  commanders  within  the  military  services 
and  representatives  within  the  combatant  commands 
and  defense  agencies.  This  framework  provides  an 
important  governance  model  for  optimally  operating 
and  defending  Defense  Department  networks  through 
an  established  command  structure.11 
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After  the  inaugural  year  of  operations,  USSTRAT- 
COM  commander,  General  James  Cartwright,  ap¬ 
proved  a  revised  Concept  of  Operations  (CONOPS)  to 
capture  lessons  learned  for  JTF-GNO  on  August  15, 
2005.  The  CONOPS  noted  that  the  NetOps  primary 
mission  to  operate  and  defend  the  DoD's  critical  infor¬ 
mation  backbone  — the  GIG  — is  explicitly  an  ongoing 
one:  "Unlike  many  missions  that  are  deemed  success¬ 
ful  at  a  defined  completion  date,  the  NetOps  mission  is 
perpetual,  requiring  continual  support  to  be  success¬ 
ful."12  To  accomplish  this,  the  CONOPS  envisioned 
six  critical  capabilities  to  be  employed  across  the  spec¬ 
trum  of  DoD  operations  at  the  strategic,  operational, 
and  tactical  levels:  visibility;  monitoring  and  analysis; 
planning;  coordinating  and  responding;  management 
and  administration;  and  control.13 

Some  of  the  practical  aspects  of  the  revised 
CONOPS  were  its  delineation  of  NetOps  within  the 
context  of  joint  and  Service  organizations.  It  also  dis¬ 
tinguished  between  NetOp  events  (activities  that  may 
impact  operational  readiness  of  the  GIG)  at  the  theater 
level  and  global  level.  NetOps  Events  with  effects  lim¬ 
ited  to  a  specific  theater's  operations  — Theater  NetOp 
Events  — would  be  under  the  control  of  the  appropri¬ 
ate  geographic  commander  in  the  supported  role, 
receiving  necessary  support  from  USSTRATCOM 
and  JTF-GNO.  For  NetOps  Events  with  the  potential 
to  impact  the  GIG  across  multiple  theaters  —  Global 
NetOps  Events  — the  commander,  USSTRATCOM, 
would  be  the  supported  commander  and  would  issue 
orders  through  to  JTF-GNO  to  combatant  commands, 
services,  and  agencies  via  established  support  and 
command  centers.14 
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The  command  and  control  structure  for  address¬ 
ing  NetOps  Events  utilized  NetOps  Control  Centers 
at  the  theater  level  (TNCC),  global  level  (GNCC),  and 
joint  level  (JNCC).  The  CONOPS  called  for  TNCCs  at 
U.S.  Central  Command,  U.S.  European  Command, 
U.S.  Northern  Command,  U.S.  Pacific  Command,  and 
U.S.  Southern  Command: 

to  lead,  prioritize,  and  direct  Theater  GIG  assets  and 
resources  to  ensure  they  are  optimized  to  support  the 
GCC's  [geographic  combatant  command's]  assigned 
missions  and  operations,  and  to  advise  the  COCOM 
[combatant  command]  of  the  ability  of  the  GIG  to  sup¬ 
port  current  and  future  operations.15 

As  part  of  their  Global  NetOps  Event  responsibilities, 
a  GNCC  would  provide  support  to  functional  com¬ 
batant  commands  (FCCs),  such  as  U.S.  Transportation 
Command  "to  advise  the  FCC  and  ensure  the  portion 
of  the  GIG  resources  supporting  that  Commander's 
assigned  missions  and  operations  are  optimized."16 

The  CONOPS  also  had  service  and  interagency 
provisions  as  well  as  JNCCs  to  support  a  joint  task 
force  (JTF)  commander  by  managing  "the  tactical  com¬ 
munications  of  the  joint  force,  serving  as  the  NOSC 
[Network  Operations  and  Security  Center]  for  the 
deployed  portion  of  the  GIG  supporting  a  JTF."17  To 
orchestrate  all  of  these  functions,  the  JTF-GNO  com¬ 
mander  was  assigned  several  critical  responsibilities 
to  ensure  proper  operation  and  defense  of  the  GIG, 
which  in  turn  supported  the  missions  of  combatant 
commands,  services,  and  agencies  as  well  as  those  of 
the  President  and  Secretary  of  Defense.18 

Finally,  the  CONOPS  set  the  expectation  and  mea¬ 
sure  of  merit  for  its  support  to  the  warfighter  simply 
as  "the  effectiveness  of  NetOps  will  be  measured  in 
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terms  of  availability  and  reliability  of  net-centric  ser¬ 
vices,  across  all  domains,  in  adherence  to  agreed-upon 
service  levels  and  policies."19  The  tenets  of  the  2005 
CONOPS  continued  to  mature  through  daily  opera¬ 
tions  for  several  years  pursuing  a  challenge  that  was 
conveyed  in  the  December  2008  DoD  NetOps  Strate¬ 
gic  Vision,  which  strived  for  the  GIG  to  operate  "as  a 
single,  unified,  agile,  and  adaptive  enterprise  capable 
of  providing  responsive  and  resilient  support  to  mul¬ 
tiple  simultaneous  mission  areas  under  uncertain  and 
changing  conditions."20  To  address  this  challenge,  the 
DoD  Chief  Information  Officer  set  three  goals:  share 
GIG  situational  awareness;  unify  GIG  command  and 
control;  and  institutionalize  NetOps.21  Also,  the  broad 
responsibilities  regarding  NetOps  for  combatant  com¬ 
mands  expressed  in  the  USSTRATCOM  CONOPS 
were  formally  institutionalized  as  an  integral  part  of 
the  GIG  by  DoD  that  month  as  well.22 

Offensive  Cyberspace:  Joint  Functional  Component 
Command-Network  Warfare. 

In  2003,  around  the  same  time  that  JTF-CNO  was 
adjusting  its  organization  to  the  reporting  chain  in 
USSTRATCOM,  the  DoD  offensive  cyberspace  mis¬ 
sion  of  network  attack  was  transferred  to  a  Network 
Attack  Support  Staff  also  under  the  operational  con¬ 
trol  of  USSTRATCOM  but  collocated  with  the  Nation¬ 
al  Security  Agency  (NS A). 23  By  January  2005,  this  staff 
evolved  to  become  the  Joint  Functional  Component 
Command  — Network  Warfare  (JFCC-NW).24  The  Di¬ 
rector  of  the  NSA  was  designated  as  the  commander 
of  JFCC-NW  and  thus  the  offensive  cyberspace  mis¬ 
sion  was  separated  from  the  defensive  cyberspace 
mission  carried  out  by  the  Director  of  DISA  in  the  role 
of  commander,  JTF-GNO.25  The  2005  USSTRATCOM 
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NetOps  CONOPS  defined  the  primary  responsibilities 
of  JFCC-NW  as  "planning,  integrating  and  coordinat¬ 
ing  computer  network  warfare  capabilities  and  inte¬ 
grating  with  all  necessary  computer  network  defense 
and  exploitation  capabilities."26 

Further  details  of  the  capabilities  and  implemen¬ 
tation  of  offensive  cyberspace  operations  remain 
classified.  For  public  dissemination.  Lieutenant  Gen¬ 
eral  Keith  Alexander  (Director,  NSA  and  command¬ 
er,  JFCC-NW)  summed  up  the  state  of  cyberspace 
operations  in  a  2007  article  as: 

We  [USSTRATCOM]  have  redefined  our  cyberspace 
mission  area  in  terms  of  offensive  —  network  warfare 
(NW)  and  defensive  —  network  operations  (NetOps)  — 
and  established  JFCC-NW  and  JTF-GNO  to  address 
each  of  those  mission  sets,  respectively. 

USSTRATCOM  has  also  begun  to  develop  tactics, 
techniques,  and  procedures  and  other  concepts  de¬ 
signed  to  integrate  cyberspace  capabilities  into  cross¬ 
mission  strike  plans.  We  are  developing  concepts  to 
address  warfighting  in  cyberspace  in  order  to  assure 
freedom  of  action  in  cyberspace  for  the  United  States 
and  our  allies  while  denying  adversaries  and  provid¬ 
ing  cyberspace-enabled  effects  to  support  operations 
in  other  domains.  These  concepts,  and  the  cyberspace 
effects  that  they  focus  on,  are  clearly  based  on  the  mili¬ 
tary  concepts  of  strike,  fires  (supporting  and  suppress¬ 
ing),  and  defense.27 

This  arrangement  of  two  three-star  general  com¬ 
manders  reporting  separately  to  USSTRATCOM  was 
streamlined  in  late-2008  when  operational  command 
of  JTF-GNO  was  placed  under  JFCC-NW.28  This 
change  was  intended  to  "close  the  seams  between  in¬ 
formation  assurance,  network  operations  and  defense, 
intelligence  collection  and  offensive  operations."29 
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The  Trigger  Event  -  Operation  BUCKSHOP  YANKEE. 


In  the  fall  of  2010,  the  world  learned  of  a  previ¬ 
ously  classified  cyberspace  operation  through  an 
article  in  Foreign  Affairs  by  Deputy  Secretary  of  De¬ 
fense  William  J.  Lynn  III.  Calling  the  2008  incident 
"the  most  significant  breach  of  U.S.  military  comput¬ 
ers  ever,"  Lynn  went  on  to  note  that  "the  Pentagon's 
operation  to  counter  the  attack,  known  as  Operation 
BUCKSHOT  YANKEE,  marked  a  turning  point  in 
U.S.  cyber-defense  strategy."30  Part  of  this  strategy  in¬ 
cluded  the  formation  of  a  new  sub-unified  command 
under  USSTRATCOM  — U.S.  Cyber  Command  (US- 
CYBERCOM).31  The  creation  of  USCYBERCOM  was 
directed  in  a  June  23, 2009,  memorandum  by  Secretary 
of  Defense  Robert  Gates.  The  new  command  would 
incorporate  the  existing  elements  of  DoD  cyberspace 
such  as  service  component  and  agency  connections. 
In  doing  this,  Gates  also  directed  the  disestablishment 
of  JTF-GNO  and  JFCC-NW  as  their  functions  were 
subsumed  into  USCYBERCOM. 32 

The  first  commander  of  USCYBERCOM,  General 
Keith  Alexander,  in  testimony  to  Congress  in  Septem¬ 
ber  2010,  recapped  the  events  from  Operation  BUCK¬ 
SHOT  YANKEE  up  through  initial  operational  capa¬ 
bility  of  the  new  command  as  well  as  how  its  structure 
would  greatly  enhance  future  cyberspace  operations. 

At  that  time  [2008],  we  had  the  defense  and  the  op¬ 
erations  in  one  command,  under  the  Joint  Task  Force- 
Global  Network  Operations.  And  that  task  force  got 
one  level  of  intelligence  and  could  see  one  part  of  the 
network. 

Operating  on  the  other  side  was  the  Joint  Functional 
Component  Command-Net  Warfare,  trained  at  a  dif- 
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ferent  level  with  different  intel  insights  at  a  different 
classification  level,  same  network,  two  organizations. 
And  if  you  are  operating  at  the  National  Training  Cen¬ 
ter,  you  wouldn't  have  the  defensive  team  out  there 
defending  and  then  take  them  off  the  field  and  run  out 
with  an  offensive  team.  It  is  the  same  team. 

And  so  the  good  thing  that  we  have  done  here  is  we 
have  brought  those  two  together,  merged  those,  and  I 
think  that  is  key  to  the  success  here.  We  need  that  to 
operate  as  one  team.  The  offense  and  defense  cannot 
be  different  here,  because  these  operations  will  occur 
in  real  time.  And  I  think  we  have  to  be  prepared  to 
do  that.33 


Initial  USCYBERCOM  Operations. 

Secretary  of  Defense  Gates  set  very  aggressive 
dates  for  USCYBERCOM  establishment:  initial  oper¬ 
ating  capability  by  October  2009  and  full  operational 
capability  by  October  2010. 34  Although  the  first  opera¬ 
tional  milestone  was  not  achieved  until  May  21,  2010, 
USCYBERCOM  was  declared  fully  operational,  which 
included  the  formal  disestablishment  of  JTF-GNO  and 
JFCC-NW.35  The  USCYBERCOM  mission  was  three¬ 
fold:  enable  DoD  network  operations;  conduct  mili¬ 
tary  cyberspace  operations;  and  ensure  freedom  of 
action  in  cyberspace.36 

Figure  1  depicts  the  interim  structures  of  the  de¬ 
veloping  USCYBERCOM  within  the  larger  context  of 
DoD  cyberspace.  Working  in  parallel  to  the  joint  ef¬ 
forts,  each  military  service  was  also  tasked  to  develop 
and  establish  cyberspace  commands  to  support  US¬ 
CYBERCOM.  By  October  2010,  the  following  compo¬ 
nent  support  commands  were  in  place:  Army  Cyber 
Command;  Fleet  Cyber  Command,  10th  Fleet;  Marine 
Forces  Cyber;  and  24th  Air  Force. 
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Figure  1.  USCYBERCOM  Formation  and 
DoD  Cyber  Organization  (March  2010).37 

Consistent  with  the  vision  put  forth  in  the  Foreign 
Affairs  article  by  Deputy  Secretary  Lynn,  General  Al¬ 
exander  confirmed  the  initial  direction  of  the  first  US¬ 
CYBERCOM  was  set  in  three  main  lines  of  operation: 
defense  of  the  Global  Information  Grid;  execution  of 
full-spectrum  cyber  operations  on  command;  and  de¬ 
fense  of  U.S.  freedom  of  action  in  cyberspace.  He  also 
reiterated  five  principles  for  the  initial  strategy  of  DoD 
cyberspace: 

•  Remember  that  cyberspace  is  a  defensible  do¬ 
main. 

•  Make  our  defense  active. 

•  Extend  protection  to  our  critical  infrastructure. 

•  Foster  collective  defenses. 

•  Leverage  U.S.  technological  advantages.38 
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What  was  the  vision  for  the  practical  application  of 
these  principles  in  military  terms?  General  Alexander 
emphasized  that  the  need  for  the  command  to  focus 
on  operating  jointly  in  support  of  the  combatant  com¬ 
manders.39  This  cyberspace  support  to  the  deployed 
warfighter  was  facilitated  using  Cyber  Support  Ele¬ 
ments  (CSEs)  for  combatant  commanders  and  Expedi¬ 
tionary  CSEs  (ExCSEs)  for  joint  task  force  command¬ 
ers.  These  teams  are  scalable  in  size  and  composition 
to  best  meet  mission  requirements  as  well  as  establish 
working  relationships  with  the  directorates  of  intelli¬ 
gence  (J2),  operations  (J3),  and  planning  (J5).  Regard¬ 
ing  ExCSE  activities  that  support  ongoing  operations, 
General  Alexander  testified  to  Congress  in  2010  that: 

Currently,  USCYBERCOM  has  two  ExCSEs  teams  de¬ 
ployed  —  one  in  Iraq  and  one  in  Afghanistan.  The  teams 
consist  of  five  personnel:  a  team  chief  (lead  planner), 
a  cyber  attack  planner,  a  cyber  defense  planner,  and 
two  analysts  (cyber  and  intelligence).  USCYBERCOM 
embeds  these  teams  within  the  supported  Joint  Task 
Force  headquarters  (typically  J3  Directorate  —  Opera¬ 
tions)  to  enable  the  delivery  of  cyber  effects  in  support 
of  the  commander's  priorities.40 

The  USCYBERCOM  commander  would  also  lead 
the  National  Security  Agency  (NSA)  and  Central  Se¬ 
curity  Service,  thus  adding  in  the  traditional  commu¬ 
nities  of  national  security  cryptology,  signals  intelli¬ 
gence,  and  information  assurance  into  the  cyberspace 
operations  mix.  Although  this  puts  a  great  amount  of 
responsibility  under  the  purview  of  a  single  leader, 
General  Alexander  argued  that  it  made  sense  for  re¬ 
source  stewardship  and  unity  of  effort.41  From  a  force 
structure  view,  this  included  the  incorporation  of 
existing  task-specific  support  teams,  such  as: 
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Green  Teams  to  respond  to  cyber  incidents;  Blue 
Teams  that  provide  in-depth  review  and  resolution  of 
cyber  events;  and  Red  Teams  that  emulate  adversary 
procedures  against  DoD  hosts  to  train  defenders  and 
identify  vulnerabilities  for  mitigation.42 

Current  Joint  Cyberspace  Operations. 

In  January  2012,  President  Barack  Obama  and 
Secretary  of  Defense  Leon  Panetta  gave  DoD  new 
strategic  guidance  for  sustaining  U.S.  global  leader¬ 
ship  in  the  21st  century.  This  guidance  centered  on 
10  primary  mission  areas  where  " the  Joint  Force  will 
need  to  recalibrate  its  capabilities  and  make  selective  ad¬ 
ditional  investments  to  succeed,"  which  includes  efforts 
to  ensure  protection  and  resiliency  for  cyberspace  op¬ 
erations.43  Under  General  Alexander's  leadership,  US- 
CYBERCOM  pursued  five  broad  command  priorities 
to  address  the  mandate:  (1)  Trained  and  Ready  Cyber 
Forces;  (2)  Operational  Concept;  (3)  Global  Situational 
Awareness;  (4)  Defensible  Architecture;  and  (5)  Poli¬ 
cies  and  Procedures  to  Enable  Action.44 

Admiral  Michael  S.  Rogers  assumed  command  of 
USCYBERCOM  on  April  3,  2014,  and  since  then,  he 
has  kept  the  command  focused  on  the  same  five  pri¬ 
orities.45  In  a  June  2014  speech,  he  highlighted  how  the 
Joint  Information  Environment  (JIE)  will  provide  a 
truly  defensible  network  for  warfighters  once  it  is  fully 
mature  and  noted  that  the  JIE  structure  is  currently  be¬ 
ing  implemented  in  Europe.46  He  also  provided  details 
on  the  planned  structures  for  trained  and  ready  cyber 
forces.  Consistent  with  the  cyber  force  envisioned  in 
the  2014  Quadrennial  Defense  Review,47  Admiral  Rogers 
called  for  a  team  structure  of  approximately  6,000  cy¬ 
ber  professionals  divided  into  133  teams  across  three 
mission  areas:  Cyber  National  Mission  Force  respon- 
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sible  for  depending  national  critical  infrastructure; 
Cyber  Combat  Mission  Force  responsible  for  cyber 
support  to  combatant  commanders;  and  Cyber  Pro¬ 
tection  Forces  responsible  for  operating  and  defend¬ 
ing  the  DoD  information  network  (DoDIN).48  Table  1 
depicts  how  these  teams  might  be  aggregated  to  form 
notional  companies,  battalions,  and  squadrons. 


Current  Cyberspace  Mission  Forces 

2014 

13  National  Mission  Teams  with  8  National  Support  Teams 

Quadrennial  Defense 
Review 

27  Combat  Mission  Teams  with  17  Combat  Support  Teams 

18  National  Cyber  Protection  Teams  (CPTs) 

24  Service  CPTs 

i  oo  i  utcii  i  earns 

6,000  Pax 

26  Combatant  Command  and  DoD  information  Network  CPTs 

National  Basic  Types  of  Cyberspace  Units  (USCYBERCOM,  October  2013) 

1  x  C2  Element 

•  Provide  C2  and  management 

Cyber  National 

Mission 

5  x  Cyber  National  Mission  Teams  (CNMT)  (64  Pax  each) 

•  Base  unit  for  cyber  operations 

Battalion/Squadron 

•  Conduct  0C0/DC0/DG0 

•  Sustained  and  surge  operations 

•  Trained,  certified,  and  fights  as  a  team 

Mission:  See,  Block, 
Maneuver  in  Red  and  Grey 
space  to  deny  adversary 
objectives  and,  if  autho¬ 
rized,  strike  to  destroy  the 
capability. 

5  x  Direct  Support  Teams  (DST)  (39  Pax  each) 

•  Provides  direct  support  to  CNMTs 

•  Conduct  intel  and  malware  analysis 

•  Perform  immediate  tool  development  /  modification  and 
access  maintenance 

•  Conduct  target  discovery  /  analysis 

•  Provide  language  analysis 

•  Planning  and  synchronization 

•  NSA  initial  weight  to  DTN  DSTs,  then  shifting  to  CCMD 
support  as  capacity  grows. 

Table  1.  Cyberspace  Force  Presentation.49 


14 


1  x  C2  Element 

•  Provide  C2  and  cyber  management  for  CCMD  (OPCON) 

1-6  x  Cyber  Combat  Mission  Teams  (CCMT)  (64  Pax  each) 

Cyber  Combat  Mission 

•  Base  unit  for  offensive  cyber  operations 

Battalion/Squadron 

•  Large  Scale  ops  CCMF  has  all  CCMT  specialties,  others 
less 

•  Trained,  certified,  and  fights  as  a  team 

Mission:  Target  develop¬ 
ment  in  suDDort  of  CCMD 
ooerations  nlans  and. 
when  authorized,  the  deliv¬ 
ery  of  cyber  effects  against 
CCMD  targets,  followed 
by  assessment  of  effects. 
OPCON  to  CCMDs  under 
current  "Transitional”  C2 
model. 

1-2  x  Direct  Support  Teams  (DST)  (39  Pax  each) 

•  One  DST  per  3-5  CCMT 

•  More  target  region  specific  skills 

•  Perform  immediate  tool  development /modification  and 
access  maintenance 

•  Conduct  target  discovery  and  analysis 

•  Provide  language  analysis 

•  Planning  and  synchronization 

2-6  x  Cyber  Protection  Platoons 

Cyber  Protection 

•  Each  Platoon  has  its  own  organic  C2  element 

•  Each  Platoon  has  5  squads  (see  below) 

Company /Troop 

•  Conduct  CND;  tips  to  CNA;  Penetration  testing 

•  Trained,  certified,  and  operates  as  a  team 

Mission:  Defense  of  the 

GIG  and  employing  teams 
to  assist  outside  the 

GIG  when  required  and 
authorized. 

5  x  Protection  Squads  /  Platoons 

•  Task  organized,  trained  and  certified 

•  Assesses  Cyber  Security  Posture 

•  Bolsters  Cyber  Defenses 

•  Conducts  Counter-Cyber  Ops 

•  Performs  Cyber  Threat  Emulation  (CTE) 

•  Conducts  intel  and  malware  analysis 

Table  1.  Cyberspace  Force  Presentation,  (cont.) 
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As  Cyber  National  Mission  Force  teams  are  being 
established,  their  techniques  and  procedures  are  also 
being  developed  through  daily  operations  and  exer¬ 
cises.  Many  of  these  exercises  require  coordination 
across  multiple  lines  of  authority,  such  as  the  Cyber 
Guard  14-1  exercise  conducted  over  2  weeks  in  July 
2014  "designed  to  test  operational  and  interagency  co¬ 
ordination  as  well  as  tactical-level  operations  to  pro¬ 
tect,  prevent,  mitigate  and  recover  from  a  domestic 
cyberspace  incident." 50 

Cyber  Combat  Mission  Force  teams  are  also  refin¬ 
ing  their  methods  for  providing  support  to  combatant 
commanders.  As  depicted  in  Figure  2,  USCYBERCOM 
CSEs  help  to  coordinate  cyber  support  through  joint 
component  commanders,  joint  task  force  command¬ 
ers,  and  the  combatant  commander's  Joint  Cyber  Cen¬ 
ter.  Specific  operational  requests  may  be  in  the  form 
of  the  Cyber  Effects  Request  Format  (CERF)  process, 
which  "initiates  cyber  effects  planning  across  all  lines 
of  operation."51  Warfighters  may  also  use  a  Joint  Cy¬ 
ber  Strike  Request  that  "sets  the  timing  and  tempo  to 
integrate  cyber  effects/ fires  with  the  supported  Joint 
Force  Commander's  operation."52  For  planning  and 
execution  of  these  requests,  "CDRUSCYBERCOM 
[Commander,  USCYBERCOM]  deconflicts  fires  deliv¬ 
ered  in  and  through  cyberspace."53 
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Figure  2.  USCYBERCOM  Support  to 
Combatant  Commands.54 


From  a  doctrinal  viewpoint,  all  of  the  cyberspace 
operations  for  warfighters  should  fall  into  three  mis¬ 
sion  areas:  DoDIN  Operations,  Defensive  Cyberspace 
Operations  (DCO),  and  Offensive  Cyberspace  Opera¬ 
tions  (OCO).  DCO  is  bifurcated  into  DCO-Internal  De¬ 
fensive  Measures  (IDM)  and  DCO-Response  Actions 
(RA).55  Figure  3  depicts  the  notional  relationship  of 
these  functions  with  regard  to  cyberspace  missions 
and  support  teams. 
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Figure  3.  Cyberspace  Operations  Functional 
Relationships.56 

Examining  further  details  of  these  functions  quick¬ 
ly  leads  to  classified  material  that  is  inappropriate  for 
this  monograph.  A  capstone  joint  doctrine  publication, 
Joint  Publication  (JP)  3-12,  Joint  Cyberspace  Operations, 
was  released  in  February  2013  for  cyberspace  opera¬ 
tions  for  those  readers  with  appropriate  clearance  and 
need  to  know.  The  unclassified  synopsis  states  that 
the  publication  seeks  to  address  "the  uniqueness  of 
military  operations  in  cyberspace,  clarify  cyberspace 
operations-related  command  and  operational  inter¬ 
relationships,  and  incorporate  operational  lessons 
learned."57 
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EVOLUTION  OF  ARMY  CYBERSPACE 
OPERATIONS 


Having  examined  the  evolution  of  joint  cyberspace 
operations,  this  section  focuses  on  parallel  evolution¬ 
ary  efforts  in  Army  cyberspace  operations  toward  the 
establishment  of  Army  Cyber  Command.  It  examines 
initial  operations  of  the  command  under  the  leader¬ 
ship  of  Lieutenant  General  Rhett  Hernandez  as  well 
as  its  current  operations  led  by  Lieutenant  General 
Edward  Cardon.  This  includes  a  brief  review  of  recent 
efforts  to  establish  Fort  Gordon,  Georgia  as  the  center 
of  gravity  for  Army  cyberspace  activities. 

The  Founding  of  Army  Cyberspace  Operations. 

Just  a  few  years  before  the  formation  of  JTF-CND, 
the  Army  was  making  organizational  changes  to  begin 
consolidating  the  operational  of  information  systems. 
Since  May  1984,  the  U.S.  Army  Information  Systems 
Command  (ISC)  provided  the  service-wide  manage¬ 
ment  of  five  information  disciplines:  communications; 
automation;  records  management;  printing  and  pub¬ 
lishing;  and  visual  information.  Based  on  the  perceived 
need  for  better  control  over  regional  communication 
and  computer  systems  by  Army  major  commands 
and  theater  commanders,  ISC  was  disbanded,  and  the 
Army  Signal  Command  created  in  September  1996. 
During  the  next  6  years,  the  command  focused  on  stra¬ 
tegic  signal  support  to  Army  combat  units  worldwide. 
However,  these  units  were  equipped  and  resourced 
at  the  major  command  or  theater  level  with  little  co¬ 
ordination.  Thus,  the  Army-wide  information  system 
became  increasingly  nonstandard  in  their  equipment 
and  protocols  at  a  time  when  threats  to  the  system 
were  growing  more  complex  and  widespread.58 
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To  address  these  issues,  the  U.S.  Army  Network 
Enterprise  Technology  Command/ 9th  Army  Signal 
Command  (NETCOM/ 9th  ASC)  was  established  in 
August  2002.  Its  mission  was  to  "operate,  manage, 
and  defend  the  Army's  'Infostructure'  at  the  enter¬ 
prise  level"  to  provide  "Command,  Control,  Commu¬ 
nications,  Computers,  and  Information  Technology 
common  user  services  and  signal  warfighting  forces 
in  support  of  the  Army,  its  Army  service  Component 
Commanders,  and  the  Combatant  Commanders." 
This  included  operation  and  defense  of  the  Army's 
portion  of  the  GIG.59 

The  USSTRATCOM  2005  CONOPS  for  GIG 
NetOps  identified  the  Commander,  U.S.  Army  Space 
and  Missile  Defense  Command  (USASMDC)/Army 
Forces  Strategic  Command  (ARSTRAT)  as  the  Army 
service  component  to  JTF-GNO.60  The  Army  NetOps 
structure  had  three  tiers:  (1)  the  central  command  ele¬ 
ment  of  the  Army  Network  Operations  and  Security 
Center  (ANOSC),  referred  to  in  the  CONOPS  as  the 
Service  Global  Network  Operations  and  Security  Cen¬ 
ter  (SGNOSC);  (2)  the  combatant  command  support 
elements  of  the  Theater  Network  Operations  and  Secu¬ 
rity  Centers,  referred  to  in  the  CONOPS  as  the  Service 
Theater  Network  Operations  and  Security  Centers; 
and  support  elements  within  theater  of  the  Regional 
Network  Operations  and  Security  Centers.61  Figure  4 
depicts  how  the  Army  implemented  this  three-tiered 
structure  across  the  five  geographic  combatant  com¬ 
mands.  The  ANOSC62  (or  SGNOSC)  at  Fort  Belvoir, 
VA,  provided  "decisionmakers  a  comprehensive,  in¬ 
tegrated,  near  real-time,  situational  awareness,  [and] 
operational  reporting  capability"  as  well  as  "world¬ 
wide  operational  and  technical  support  to  the  Fand- 
WarNet  across  the  tactical  and  strategic  levels."63 
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Figure  4.  U.S.  Army  NetOps  Forces  (Circa  2005).64 

In  October  2006,  the  army  reinforced  the 
NETCOM/9th  ASC  mission  and  redesignated  it 
as  the  U.S.  Army  Network  Enterprise  Technol¬ 
ogy  Command/9th  Signal  Command  (Army) 
(NETCOM/ 9th  SC  (A)).  Its  mission  was  clarified  to 
formally  include  network-centric  operations  in  con¬ 
text  of  the  LandWarNet  by  executing: 

globally  based  and  expeditionary  communications 
capabilities  to  enable  joint  and  combined  battle  com¬ 
mand,  leveraging  the  information  grid  to  ensure  ex¬ 
tension  and  reachback  capabilities  to  the  warfighter. 

It  was  to  accomplish  this  "through  globally  postured 
theater  signal  commands,  brigades,  and  regional  in¬ 
formation  managers."65 

Perhaps  a  good  example  of  warfighter  support  fa¬ 
cilitated  by  NetOps  using  the  GIG  is  that  of  friendly 
force  tracking  (FFT).  Originally  called  blue  force 
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tracking,  the  initial  aim  of  the  program  was  for  U.S. 
Space  Command  to  use  national  technical  means  "to 
provide  a  beyond  line-of-sight,  low  probability  of 
detection  and  interception,  precise  location  of  Spe¬ 
cial  Operations  Forces  elements."66  When  U.S.  Space 
Command  merged  with  U.S.  Strategic  Command 
in  2002,  the  FFT  mission  operational  control  transi¬ 
tioned  to  USASMDC/ARSTRAT.  In  December  2008, 
the  USSTRATCOM  FFT  mission  was  refined  and 
USASMDC/ARSTRAT  was  given  responsibility  "to 
provide  FFT  data  services  on  a  continuous  basis  to 
combatant  commands"  and  interagency  and  coalition 
users  (when  directed)  as  well  as  "to  provide  a  com¬ 
bat  development  capability  integrating  FFT  data  into 
current  and  planned  architectures  for  use  on  the  ap¬ 
propriate  Common  Operating  Picture."67  The  system 
has  now  become  so  integrated  into  joint  operations 
that  it  may  be  taken  for  granted.  Its  continued  success 
depends  on  coordinated  NetOps  support  to  generate, 
collect,  process,  disseminate,  and  display  joint  FFT 
information  to  warfighters  worldwide.68 

The  2009  version  of  the  U.S.  Army  Posture  State¬ 
ment  contained  a  summary  of  the  Army's  evolving 
cyber  operations,  which  included  descriptions  of 
the  NETCOM/ 9th  SC  defensive  cyberspace  focus  of 
NetOps  as  well  as  the  Army  Intelligence  and  Secu¬ 
rity  Command  (INSCOM)  offensive  cyberspace  focus 
of  network  warfare.  By  this  time.  Army  cyberspace 
operations  had  been: 

integrated  throughout  Service  and  Joint  Force  struc¬ 
ture,  from  strategic  levels  such  as  the  Defense  In¬ 
formation  Service  Agency,  Joint  Task  Force-GNO, 
NSA,  and  Joint  Functional  Component  Command- 
Network  Warfare  down  to  the  Brigade  Combat  Team 
(BCT)  level. 
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This  included  forward-based  forces  within  theater 
signal  commands,  military  intelligence  brigades,  and 
planning  elements.69 

Initial  Army  Cyber  Command  Operations. 

In  May  2009,  the  Army  established  a  cyberspace  task 
force  to  examine  how  to  organize  the  service's  cyber¬ 
space  assets  to  support  the  anticipated  establishment 
of  a  sub-unified  command  in  USSTRATCOM  dedicat¬ 
ed  to  cyberspace  operations.  Specifically,  the  task  force 
would  synchronize  the  cyberspace-related  activities  of 
the  Army  Staff  Intelligence/ G-2,  Operations/ G-3,  and 
Chief  Information  Officer/ G-6.  More  importantly,  it 
would  examine  if  existing  organizations  (i.e.,  NET¬ 
COM,  INSCOM,  or  USASMDC /  ARSTRAT)  could 
best  provide  the  headquarters  functions  to  direct  the 
Army's  existing  cyberspace  operation  capabilities,  or 
if  a  new  command  should  be  established.  When  De¬ 
fense  Secretary  Gates  issued  his  June  2009  memoran¬ 
dum  to  establish  USCYBERCOM,  the  Army  opted  to 
retain  USASMDC/  ARSTRAT  as  the  interim  choice  for 
U.S.  Army  Forces  Cyber  Command  (ARFORCYBER).70 
At  that  time,  the  organization  of  Army  cyberspace 
forces  was  largely  the  same  as  it  had  been  described 
in  the  2005  USSTRATCOM  CONOPS,  with  a  central 
command  element  and  Theater  Network  Operations 
and  Security  Centers  (TNOSCs)  as  well  as  Army  Com¬ 
puter  Emergency  Response  Teams  (ACERTs).  The 
Army  Global  Network  Operations  and  Security  Cen¬ 
ter  (AGNOSC)  remained  essential  to  warfighting  as 
"the  Army's  global  eyes  and  ears  in  cyberspace  .  . .  ac¬ 
tively  defending  the  Army's  operational  and  generat¬ 
ing  force  information  capabilities  from  a  continuously 
evolving,  adaptive  enemy."  Also,  TNOSCs  contin¬ 
ued  their  mission  to  "direct  the  operations,  manage- 
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merit  and  defense  of  the  Army's  portion  of  the  link  to 
the  GIG." 71 

In  February  2010,  based  on  "the  increasing  global 
scope  of  the  cyberspace  mission,"  the  Army  chief  of 
staff  approved  the  establishment  of  a  separate  com¬ 
mand  for  ARFORCYBER.72  In  June  2010,  it  was  an¬ 
nounced  that  Major  General  Rhett  A.  Hernandez 
would  be  the  new  ARFORCYBER  commander  with 
the  task  of  achieving  Army  Cyber  Command  full  op¬ 
erational  capability  by  October  2010.  While  the  roles  of 
NETCOM/9th  SC  (A)  and  INSCOM  remained  largely 
unchanged,  a  new  nerve  center  for  Army  cyberspace 
operations  was  created:  the  Army  Cyber  Operations 
and  Integration  Center  (ACOIC).73  With  functions 
similar  to  those  of  the  previous  AGNOSC,  the  ACOIC 
was  designed  not  only  to  provide  Army  forces  with 
"clear,  concise,  and  timely  direction  to  execute  full 
spectrum  operations  in  cyberspace"  but  also  to  co¬ 
ordinate  Army  cyberspace  operations  and  "to  share 
information  with  other  Army  commands,  our  coun¬ 
terparts  in  the  other  services,  and  the  U.S.  Cyberspace 
Joint  Operations  Center."  To  facilitate  this  integration, 
some  ACOIC  personnel  were  physically  embedded 
with  the  USCYBERCOM  joint  staff.74 

As  the  organization  charts  were  being  redrawn 
for  ongoing  Army  cyberspace  operations,  the  Army 
Training  and  Doctrine  Command  (TRADOC)  began 
a  "Cyberspace/ Electromagnetic  Contest"  capabilities 
based  assessment  in  February  2010. 75  TRADOC  also 
published  the  "Cyber  Operations  Concept  Capability 
Plan  2016-2028"  in  February  2010  as  the: 

first  step  in  developing  a  common  understanding  of 

how  technological  advancements  transform  the  op¬ 
erational  environment,  how  leaders  must  think  about 
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cyberspace  operations,  how  they  should  integrate 
their  overall  operations,  and  which  capabilities  are 
needed.76 

The  report  assessed  that  "the  Army's  current  vo¬ 
cabulary,  including  terms  such  as  computer  network 
operations  (CNO),  electronic  warfare  (EW),  and  infor¬ 
mation  operations  (IO)  will  become  increasingly  inad¬ 
equate."77  It  posited  three  interrelated  dimensions  of 
full  spectrum  operations  built  upon  these  elements: 
one  of  "psychological  contest  of  wills;"  a  second  of 
"strategic  engagement;"  and  the  third  dimension  of 
"the  cyber-electromagnetic  contest"  — the  focus  of  the 
plan.78  Arguing  that  cyberspace  operations  (Cyber 
Ops)  was  more  than  the  CNO  and  NetOps,  the  plan  in¬ 
troduced  "four  components  for  CyberOps:  CyberSA, 
CyNetOps,  CyberWar,  and  CyberSpt,  with  CyberWar 
and  CyNetOps  being  the  primary  operational  compo¬ 
nents."79  The  plan  went  on  to  develop  an  initial  matrix 
of  required  capabilities  for  each  element  in  the  areas  of 
doctrine,  organizations,  training,  materiel,  leadership 
and  education,  personnel,  and  facilities.80 

As  planned,  Army  Cyber  Command  was  estab¬ 
lished  on  October  1,  2010, 81  with  a  split-cased  scheme 
that  had  its  headquarters  at  Fort  Bel  voir,  and  select 
staff  elements  located  with  or  near  USCYBERCOM  at 
Fort  Meade,  MD.82  Its  mission  was  threefold:  to  lead 
the  planning  and  implementation  of  Army  NetOps 
and  defense  of  Army  networks;  when  directed,  to 
conduct  cyberspace  operations  to  ensure  freedom  of 
action  in  cyberspace  and  to  deny  the  same  to  adver¬ 
saries;  and  to  report,  assess,  and  mitigate  Army  cyber¬ 
space  incidents.83 

Over  the  next  year,  several  modifications  were  im¬ 
plemented  to  the  initial  U.S.  Army  Cyber  command 
(ARCYBER)  organizations.  In  February  2011,  Sec- 
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retary  of  the  Army  John  M.  McHugh  issued  a  direc¬ 
tive  that  the  Army  IO  mission  transfer  to  ARCYBER. 
Along  with  this  new  mission,  ARCYBER  received 
operational  control  over  the  1st  Information  Opera¬ 
tions  Command  (Land),  which  included  IO  support 
to  warfighters  using  deployable  teams  that  could  le¬ 
verage  reach-back  planning  and  analysis  as  well  as 
synchronize  and  conduct  CNO  tasks.  84  In  October 
2011,  the  780th  Military  Intelligence  Brigade  became 
ARCYBER's  cyber  brigade  to  serve  as  the  command's 
"operational  arm  for  full-spectrum  cyberspace  op¬ 
erations."85  As  such,  the  brigade  was  "organized  to 
support  USCC  [USCYBERCOM]  and  combatant  com¬ 
mand  cyberspace  operations"  as  well  as  to  conduct 
"signals  intelligence  and  computer  network  opera¬ 
tions,  and  enables  Dynamic  Computer  Network  De¬ 
fense  of  Army  and  DoD  networks."86  ARCYBER  also 
established  the  Army  Cyberspace  Proponent  Office 
"to  define  the  Army's  future  cyberspace  force;  design 
its  organizations;  establish  the  requirements  to  build 
it  (both  technological  and  human);  and  to  develop  the 
overarching  cyberspace  doctrine  and  operational  con¬ 
structs."87  The  command  relationships  resulting  from 
these  first-year  changes  are  depicted  in  Figure  5. 

During  the  first  year  of  operation,  ARCYBER  did 
much  to  advance  Army  cyberspace  operations  along 
three  lines  of  effort:  operationalizing  cyberspace;  grow¬ 
ing  Army  cyber  capacity  and  capabilities;  and  recruit¬ 
ing,  developing,  and  retaining  Army  cyber  profession¬ 
als.  At  a  public  conference  in  August  2011,  Lieutenant 
General  Hernandez  discussed  nine  major  accomplish¬ 
ments  for  the  year  that  highlighted  progress  in  the  oper¬ 
ationalization  and  unity  of  effort  within  the  command. 
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Figure  5.  U.S.  Army  Cyber  Command/Second 
Army  (Circa  2011).88 

Although  these  were  significant  steps  forward,  there 
still  remained  considerable  work  to  achieve  the  com¬ 
mander's  vision  "to  effectively  defend  our  networks 
and  deter  and  oppose  our  adversaries"  as  well  as  "to 
enable  cyberspace  activities  under  various  authorities 
to  work  in  concert  with  each  other  to  more  effectively 
support  cyber  operations."89  Fundamental  first  steps 
in  achieving  these  goals  include  improving  our  ability 
to  see  and  understand  our  networks  better.  We  will 
do  this  by  collapsing  our  networks  from  a  disparate, 
loose  federation  into  one  Army  enterprise  network. 
This  will  enable  us  to  establish  centralized  control  of 
our  networks  and  give  us  more  complete,  integrated 
visibility  into  them.  Having  accomplished  this,  we 
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can  then  establish  an  active  defense  in  depth  across 
the  network. 

Current  Army  Cyberspace  Operations. 

Looking  toward  the  future,  the  2012  Army  Posture 
Statement  identified  three  essential  cyberspace  ele¬ 
ments  to  fulfill  the  needs  of  the  dynamic  information 
environment  of  2020:  a  cyberspace  enterprise;  a  "com¬ 
bined  arms"  cyberspace  force;  and  integration,  plan¬ 
ning,  and  synchronization  of  cyberspace  effects.90  To 
fully  incorporate  these  cyberspace  elements  into  full 
spectrum  operations,  three  cyberspace  imperatives 
were  set  forth  in  the  areas  of  personnel,  cross-domain 
operations,  and  integrated  operations.  The  personnel 
focus  is  to  pursue  "the  development  of  Cyberspace 
Warriors  and  cyberspace  formations  to  gain  physical, 
temporal,  and  psychological  advantages  over  an  en¬ 
emy  will  enable  freedom  of  movement  in,  from,  and 
through  cyberspace."91  The  second  imperative  seeks 
to  make  cyberspace  operations  "routine  and  perva¬ 
sive"  given  that  "the  Army  will  embrace  cross-domain 
synergy  between  land  and  cyberspace.  Cyberspace 
operations  will  be  a  critical  part  of  'How  the  Army 
Fights'."92  The  third  imperative  is  probably  the  most 
challenging  since  it  deals  with  several  evolving  mis¬ 
sion  areas:  "Army  Cyber  will  integrate  and  synchro¬ 
nize  cyberspace  operations  with  electronic  warfare, 
electromagnetic  spectrum  operations,  information  op¬ 
erations,  and  space  operations  to  achieve  command¬ 
er's  objectives  to  ensure  mission  command."93 

ARCYBER  continued  to  evolve  with  efforts  to  ad¬ 
dress  capability  gaps  identified  in  TRADOC's  Cyber/ 
Electromagnetic  Capability  Based  Assessment.  These 
included: 
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increase  our  [ARCYBER]  World  Class  Cyber  Opposi¬ 
tion  Force  (WCCO)  capacity  to  provide  realistic,  chal¬ 
lenging  cyberspace  training  in  the  conduct  of  Unified 
Land  Operations  to  exercises.  Home  Station  Training, 
and  Combat  Training  Centers;  increase  our  capability 
to  conduct  active  defense  of  Army  Networks  through 
"Hunt  Teams"  that  can  find,  fix,  and  mitigate  cur¬ 
rently  un-detected  malicious  actors  already  inside  the 
DoD  infrastructure;  provide  capability  to  integrate  cy¬ 
berspace  operations  into  Regional  Army  Land  opera¬ 
tions  to  support  commanders'  tactical  and  operational 
cyber  planning  and  integration;  increase  intelligence 
personnel  to  support  Army  Cyber  Command's  opera¬ 
tions  Center,  and  improve  our  capability  for  rapid  de¬ 
velopment  of  network  defense  tools;  increase  capacity 
to  conduct  our  ability  to  conduct  force  modernization 
for  cyberspace  operations  by  developing  requirements 
and  solutions.94 

In  addition  to  these  areas,  ARCYBER  also  made 
progress  in  building  relationships  with  allies  and 
partner  nations  through  participation  in  operational 
planning  and  Theater  Security  Cooperation  effort 
with  combatant  commands. 

In  September  2013,  ARCYBER/2nd  Army  wel¬ 
comed  its  second  commander,  Lieutenant  General 
Edward  C.  Cardon,  who  continued  to  build  on  the 
foundation  created  by  Lieutenant  General  Hernandez. 
In  his  initial  assessment  of  the  command,  Lieutenant 
General  Cardon  identified  the  three  greatest  continu¬ 
ing  challenges  as  "building  cyber  capability  and  ca¬ 
pacity;  transitioning  to  a  more  defensible  platform; 
and  gaining  situational  awareness  in  cyberspace."95 

In  March  2014,  the  Army  affirmed  its  commitment 
to  unity  of  effort  in  cyberspace  operations  and  refined 
the  command  relationships:  making  ARCYBER  an 
Army  Force  Component  Headquarters;  designating 
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2nd  Army  as  a  direct  reporting  unit;  and  assigning 
NETCOM/ 9th  SC  (A)  to  2nd  Army,  with  Command¬ 
er,  NETCOM  dual-hatted  as  the  Deputy  Commanding 
General,  2nd  Army.96  Figure  6  depicts  the  command 
relationship  of  this  time  frame. 
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Figure  6.  U.S.  Army  Cyber  Command/Second 
Army  (Circa  2014).97 

After  leading  the  command  for  6  months.  Lieuten¬ 
ant  General  Cardon  offered  additional  refinements 
into  these  challenge  areas,  focusing  on  limitations  of 
existing  information  architectures  and  cyber  train¬ 
ing  as  well  as  more  strategic  issues  of  risk  assessment 
and  authorities  to  match  operating  concepts.  At  the 
operational  level,  he  discussed  cyberspace  operations 
in  terms  of  maneuver  on  "cyber  terrain"  where  one 
could  replace  traditional  maps  with  "roads  as  [in¬ 
formation]  transport  —  fiber,  satellite  links,  wireless. 
Think  of  the  intersections  as  routers  and  switches,  and 
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think  of  the  buildings  as  endpoints  or  people  with  mo¬ 
bile  devices."98  In  such  a  schema,  ARCYBER  needs  to 
recognize  "there's  a  real  nexus  between  land,  cyber, 
and  the  human  domains."  At  the  strategic  level,  he 
noted  that  "cyber's  a  domain  and  it  must  be  integrated 
with  other  domains  to  provide  options  to  the  National 
Command  Authority."99 

To  help  address  these  myriad  tasks,  ARCYBER 
is  applying  the  total  force  concept  to  current  Army 
cyberspace  operations.  For  example,  the  1st  IO  Com¬ 
mand  includes  four  Reserve  Component  Theater  IO 
Groups  with  deployable  capability  that  "provides  IO 
and  cyberspace  planning,  analysis  and  technical  reach 
back;  and  offers  specialized  IO  and  cyberspace  train¬ 
ing  to  assist  the  warfighter  in  garrison,  during  exer¬ 
cises,  or  in  conflict."100 

Army  National  Guard  (ARNG)  units  also  play  im¬ 
portant  cyberspace  roles  that  may  leverage  technical 
experience  from  their  civilian  jobs.  The  Guard's  2015 
Posture  Statement  summarizes  some  of  the  advan¬ 
tages  this  arrangement  offers,  to  include  unique  legal 
authorities,  knowledge  of  local  critical  infrastructure, 
and  experience  from  work  with  commercial  IT  com¬ 
panies.101  A  specific  application  of  this  concept  was 
initiated  on  June  5,  2014  when  a  memorandum  of 
understanding  was  signed  between  ARCYBER/ 2nd 
Army  and  the  ARNG  to  have  the  1636th  Cyber  Protec¬ 
tion  Team  serve  in  active  Title  10  status  in  support  of 
ARCYBER/ 2nd  Army.  The  unit  may  be  called  upon  to 
conduct  any  of  the  following  missions: 
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defensive  cyberspace  operations,  cyber  command 
readiness  inspections,  vulnerability  assessments,  cy¬ 
ber  operational  forces  support  to  emulate  threats,  criti¬ 
cal  infrastructure  assessments,  theater  security  coop¬ 
eration  and  Federal  Emergency  Management  Agency 
support.102 

Probably  the  biggest  change  on  the  horizon  for 
ARCYBER  is  the  pending  move  of  its  headquarters  to 
Fort  Gordon,  GA.  The  Army  assessed  this  as  the  best 
option  to  address  the  need  for  additional  space  once 
the  command  outgrew  its  facilities  at  Fort  Meade.  In 
theory,  moving  to  Fort  Gordon  is  the  least  costly  al¬ 
ternative.  Also,  the  collocation  of  the  Army's  opera¬ 
tional  cyber  headquarters  with  the  Army's  Joint  Force 
Headquarters-Cyber  and  NSA-Georgia  will  require 
150  fewer  personnel.103 

Part  of  the  consolidation  of  Army  cyber  forces  at 
Fort  Gordon  is  the  establishment  of  the  Army  Cyber 
Center  of  Excellence  (CoE)  there  with  goals  of  "align¬ 
ing  Army  cyber  proponency  within  TRADOC,  cre¬ 
ating  institutional  unity  and  a  focal  point  for  cyber 
doctrine  and  capabilities  development,  training,  and 
innovation."104  In  fact,  on  March  28,  2014,  the  U.S. 
Army  Signal  CoE  became  the  Army  Cyber  CoE  with 
the  initial  fusion  of  various  elements  of  cyber,  signal, 
and  electronic  warfare  training  completed  by  October 
2014  and  full  operating  capability  achieved  by  Octo¬ 
ber  2015. 105  The  new  CoE  is  now  responsible  for  the 
development  of  Army  signal  and  cyber  doctrine  and 
is  currently  working  to  produce  Field  Manual  (FM) 
3-12,  Cyberspace  Operations,  which  will  provide  "tactics 
and  procedures  for  the  coordination  and  integration 
of  cyberspace  operations  in  support  of  unified  land 
operations."106 
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The  most  significant  current  Army  doctrine  re¬ 
garding  cyberspace  is  FM  3-38,  Cyber  Electromagnetic 
Activities  (CEMA),  first  published  in  February  2014. 
It  provides  "an  overview  of  principles,  tactics,  and 
procedures  on  Army  integration  of  CEMA  as  part  of 
unified  land  operations."  Further,  it  describes  how 
Army  "CEMA  are  implemented  via  the  integration 
and  synchronization  of  cyberspace  operations,  elec¬ 
tronic  warfare  (EW),  and  spectrum  management  op¬ 
erations  (SMO)."107  Focusing  on  Chapter  3  of  FM  3-38, 
the  depiction  of  the  doctrinal  concept  of  cyberspace 
operations  as  three  interdependent  functions  (see 
Figure  7)  is  consistent  with  terminology  of  USCYBER- 
COM.108  While  a  worthy  topic,  the  detailed  analysis  of 
the  CEMA  concept  depicted  in  FM  3-38  is  beyond  the 
scope  of  this  monograph. 


Figure  7.  U.S.  Army  Cyberspace  Operations 
Functions.109 
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Following  the  model  of  the  Quadrennial  Defense 
Review  (QDR)  and  USCYBERCOM,  ARCYBER  imple¬ 
ments  its  mission  across  four  team  structures:  (1)  Joint 
Force  Headquarter-Cyber  to  provide  operational  and 
tactical  planning  support  to  Combatant  Commands; 
(2)  Cyber  National  Mission  Force  to  defend  the  nation 
by  seeing  adversary  activity,  blocking  attacks  and  ma¬ 
neuvering  to  defeat  them;  (3)  Cyber  Protection  Force 
to  defend  DODIN  and,  when  authorized,  other  infra¬ 
structure;  and  (4)  Cyber  Combat  Mission  Force  to  con¬ 
duct  military  cyber  operations  in  support  of  combat¬ 
ant  commanders.110  Figure  8  depicts  how  the  goal  of 
operationalizing  cyber  is  achieved  by  combining  these 
teams  with  the  organization  shown  in  Figure  8  and 
overlaying  them  across  the  ARCYBER  mission  areas. 
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Figure  8.  U.S.  Army  Cyberspace  Operations 
Spectrum.111 

A  recent  example  of  the  continuing  evolution  of 
Army  cyber  forces  to  support  these  team  structures  is 
the  7th  Signal  Command  (Theater)  efforts  to  establish 
a  new  Cyber  Mission  Unit  (Provisional)  that  will  focus 
on  defensive  operations  for  Army  networks.  The  new 
unit  will  form  Cyber  Protection  Teams  to  "conduct 
global  cyberspace  operations  to  deter,  disrupt,  and 
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help  defeat  the  nation's  adversaries  in  cyberspace. 
They  will  rapidly  evaluate,  and  act  proactively  and 
reach vely  to  dynamic  cyber  situations."112 

CYBERSPACE  OPERATIONS  IN  A 
GLOBAL  CONTEXT113 

Thus  far,  this  monograph  has  addressed  how  cy¬ 
berspace  forces  are  currently  being  integrated  across 
the  full  spectrum  of  traditional  domain-based  military 
operations.  But  is  this  approach  sufficient  to  address 
the  full  scope  of  cyberspace  operations  now  and  into 
the  future?  This  section  takes  a  more  theoretical  slant 
to  addressing  this  question  as  it  examines  an  interna¬ 
tional  environment  of  multiple  actors  interacting  with 
varying  degrees  of  tension.  In  such  a  global  situation, 
cyberspace  operations  seeking  to  produce  certain  ef¬ 
fects  must  also  be  examined  for  their  potential  to  cause 
escalation  of  activities;  possibly  even  up  to  the  point 
of  existential  threat. 

When  the  stakes  become  this  high,  then  the  topic 
of  national  deterrence  comes  into  play.  Indeed,  one  of 
the  principles  to  guide  development  of  the  Joint  Force 
of  2020  is  to  "include  a  renewed  emphasis  on  the  need 
for  a  globally  networked  approach  to  deterrence  and 
warfare."114  Admiral  Rogers  during  his  congressio¬ 
nal  confirmation  hearing  for  the  position  of  CDRUS- 
CYBERCOM  noted  that  "cyber  warfare  is  a  complex 
and  evolving  discipline,  and  the  subject  of  deterrence 
is  drawing  increasing  attention  at  all  levels  of  govern¬ 
ment  and  the  Interagency,  and  in  our  discussions  with 
our  international  partners."115 

A  thorough  examination  of  the  topic  of  how  all  cy¬ 
berspace  operations  influence,  and  are  influenced  by, 
global  deterrence  consideration  may  require  several 
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volumes  of  work.  Instead,  this  monograph  will  in¬ 
troduce  a  methodology  —  the  modified  Herman  Kahn 
Escalation  Ladder  —  and  use  it  to  analyze  the  specific 
case  of  active  cyber  defense  (A CD)  operations.  Read¬ 
ers  may  then  modify  and  apply  the  analysis  frame¬ 
work  for  their  own  needs.  For  our  purpose,  ACD  is 
a  concept  that  is  currently  embodied  in  the  terms  cy¬ 
ber  defense  in  depth  or  DCO-RA.116  The  effective  use 
of  ACD  as  an  instrument  of  national  policy  is  not  an 
isolated  process  with  defined  boundaries.  Rather,  it 
involves  intertwined  processes  that  transpire  within 
a  dynamic  international  environment.  Ideally,  such 
defenses  will  deter  potential  aggressors  and  work  to 
defeat  any  who  are  not  deterred.  This  section  explores 
how  ACD  may  integrate  with  traditional  military  op¬ 
erations  across  the  spectrum  of  international  conflict 
as  well  as  how  such  defenses  influence  national  re¬ 
sponses  related  to  deterrence  and  escalation. 

A  key  aspect  in  addressing  this  issue  is  to  explore 
such  activities  in  the  realm  of  existential  threat,  which 
traditionally  is  limited  to  nuclear  warfare.  Proper  de¬ 
terrence  at  this  level  can  serve  as  an  essential  element 
of  an  overall  risk  reduction  strategy  to  keep  inevitable 
and  unpreventable  minor  cyber  incidents  from  esca¬ 
lating.117  Thus,  let  us  examine  defensive  and  offensive 
cyber  capabilities  in  the  context  of  an  expanded  mod¬ 
el  for  strategic  deterrence  that  embraces  and  expands 
traditional  nuclear  deterrence.  This  approach  reflects  a 
more  realistic  international  environment  where  major 
cyber  attacks  are  not  considered  to  be  isolated  events, 
but  rather  as  one  instrument  among  many  aimed  at 
achieving  strategic  goals.118 
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Kahn  Model  of  Escalation  and  Deterrence. 

Current  U.S.  military  doctrine  defines  deterrence 
as  "the  prevention  of  action  by  the  existence  of  a 
credible  threat  of  unacceptable  counteraction  and/or 
belief  that  the  cost  of  action  outweighs  the  perceived 
benefits,"  but  interestingly,  the  definition  for  escala¬ 
tion  has  been  removed.119  This  change  appropriately 
reflects  the  doctrine's  focus  on  theater-level  military 
operations  using  a  six-phase  model  with  a  second 
phase  of  "Deter."  The  context  for  strategic  deterrence 
focuses  on  influencing  the  decisionmaking  of  poten¬ 
tial  adversaries  not  to  take  actions  that  threaten  vital 
interests.  This  is  achieved  through  credible  threat  of 
action  in  three  ways:  denying  them  benefits;  imposing 
costs;  and  encouraging  constraint.120  Implicit  in  this 
paradigm  is  the  credibility  to  raise  the  stakes  — esca¬ 
late  the  conflict  — to  a  point  that  is  not  acceptable  by 
the  adversary. 

A  famous  model  developed  during  the  Cold  War 
was  Kahn's  Escalation  Ladder  that  he  described  as  "a 
methodological  device  that  provides  a  convenient  list 
of  the  many  options  facing  the  strategists  in  a  two-sid¬ 
ed  confrontation."121  He  illustrated  his  metaphor  as  a 
ladder  with  44  "rungs"  grouped  into  7  larger  crises 
regions  of  increasing  intensity  separated  by  distinct 
threshold  events.  His  concept  is  useful  to  view  the 
changes  in  conflict  based  on  the  interplay  between  the 
political,  diplomatic,  and  military  issues  surrounding 
the  conflict  and  the  level  of  violence  and  provocation 
at  which  it  occurs.122  Although  created  in  a  different 
era  of  conflict,  the  Kahn  ladder  can  be  evolved  and 
expanded  to  strategic  warfare  that  includes  other 
weapons  in  the  deterrence  force  mix,  such  as  global 
conventional  strike  and  offensive  cyber  operations.123 
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The  goal  is  not  to  replace  nuclear  forces,  but  rather,  to 
develop  a  more  holistic  integration  of  strategic  forces. 

Simplified  Escalation  Ladder. 

To  examine  a  more  integrated  deterrence  meta¬ 
phor,  let  us  first  simplify  the  Kahn  ladder  by  limiting 
it  to  the  seven  major  crisis  regions  and  their  thresh¬ 
olds.  In  the  original  model,  the  Bizarre  Crises  region 
included  five  rungs  that  depict  the  initiation  of  actions 
related  to  limited  nuclear  warfare  in  various  forms.124 
Let  us  divide  these  regions  at  the  level  of  Bizarre  Cri¬ 
ses  into  a  lower  half  group  that  encompasses  conflict 
at  the  theatre/ regional  level  and  an  upper  half  group 
that  addresses  existential  conflict  (see  Figure  9). 


Figure  9.  Modified  Kahn  Escalation  Ladder.125 


38 


The  lower  half  of  the  simplified  ladder  starts  with 
Subcrises  Maneuvering,  which  consists  of  political, 
economic,  and  diplomatic  gestures,  as  well  as  formal 
declarations,  to  demonstrate  resolve.  When  military 
forces  come  into  play,  the  activity  crosses  the  threshold 
to  Traditional  Crises.  In  this  region,  activity  increases 
progressively  from  shows  of  force  and  mobilization, 
through  harassing  acts  of  violence,  and  up  to  dramatic 
confrontations.  When  military  forces  become  the  main 
focus  of  conflict,  the  activity  crosses  the  threshold  to 
Intense  Crises,  and  the  view  of  nuclear  stockpiles 
change  from  hypothetical  to  realistic  threats.  In  this 
region,  diplomatic  measures  support  coercion  using 
provocative  acts  such  as  ultimatums,  embargos,  and 
blockades.  Conventional  conflict  increases  in  its  scope 
and  intensity  toward  the  formal  declaration  of  war 
and  movement  closer  to  the  incorporation  of  nuclear 
weapons.126 

The  upper  half  of  the  simplified  escalation  ladder 
deals  with  conflict  that  has  escalated  to  the  point  of 
potential  existential  threat  of  nuclear  attack.  It  begins 
with  Exemplary  Central  Attacks  where  nuclear  weap¬ 
ons  are  used  in  a  restrained  manner  against  specific 
military,  infrastructure,  or  population  targets.  As  ac¬ 
tivities  progress  through  the  ladder  rungs,  recipro¬ 
cal  reprisals  occur.  When  military  forces  become  the 
main  focus  of  nuclear  weapons,  the  activity  crosses 
the  threshold  into  Military  Central  Wars.  In  this  re¬ 
gion,  military  commanders  have  access  to  all  the 
resources  of  the  nation  as  well  as  nuclear  weapons, 
but  they  use  tactics  that  limit  collateral  damage  to  an 
opponent's  civilians.  Its  rungs  progress  from  target¬ 
ing  specific  property  and  forces  in  equal  responses,  to 
constrained  force-reduction  attacks,  then  to  increas¬ 
ingly  intensive  counterforce  strikes  using  nuclear 
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weapons.  When  these  counterforce  strikes  exceed  any 
attempt  to  spare  civilians,  then  the  activity  crosses  the 
final  threshold  into  Civilian  Central  War.  This  is  the 
region  of  nightmarish  nuclear  exchanges  that  devolve 
from  "city- trading"  attacks  of  resolve,  to  purposeful 
destruction  of  the  enemy's  society,  and  ultimately  to 
the  insensate  launch  of  all  weapons  without  regard  to 
consequences . 127 

Movement  Along  the  Ladder. 

Kahn  designed  his  ladder  metaphor  to  examine 
the  interrelations  between  two  sets  of  elements  sur¬ 
rounding  a  given  escalation  situation— those  specific 
to  the  region  of  the  present  conditions  and  those  re¬ 
lated  to  the  dynamics  of  moving  on  the  ladder.  He 
envisioned  the  ladder  to  model  two-sided  escalation 
(usually  the  United  States  and  the  Union  of  Soviet  So¬ 
cialist  Republics)  that  met  certain  conditions  related 
to:  commitment  of  resources;  value  placed  on  victory; 
interest  in  systems  bargaining  to  preserve  precedents; 
motivations  and  strategies  for  escalation;  desire  to  ap¬ 
pear  to  be  following  accepted  norms;  and  danger  and 
avoidance  of  upper  levels  of  escalation.  He  divided 
national  conduct  related  to  movement  on  the  ladder 
into  five  categories:  contractual  (quid  pro  quo);  coercive 
(stick  versus  carrot);  agonistic  (prescriptive  rules);  sty¬ 
listic  (accepted  norms),  and  familial  (positive  cultural 
aspects).  As  one  might  expect,  activities  in  these  cate¬ 
gories  would  reflect  the  use  of  all  elements  of  national 
power  (political,  economic,  information),  and  thus 
Kahn  asserted  that  "mere  military  superiority  will  not 
necessarily  assure  'escalation  dominance'."128 

Admittedly,  the  paradigm  is  not  perfect.  The 
movements  reflecting  escalation  are  not  necessarily 
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sequential,  symmetric,  or  reversible.  Also,  the  ladder 
is  not  very  useful  at  illustrating  the  effects  of  multiple 
simultaneous  moves.  Any  analysis  should  also  recog¬ 
nize  that  an  adversary  will  also  have  a  ladder  (implicit 
or  explicit)  that  is  likely  different  in  its  placement  and 
perception  of  conditions.  It  also  assumes  the  interac¬ 
tions  involve  rational  players  in  a  model  that  often 
fails  to  fully  embrace  ambiguity  and  uncertainty  re¬ 
lated  to  acceptable  alternatives  and  long-term  stabili¬ 
ty.129  Regardless,  the  simplified  ladder  offers  a  reason¬ 
able  framework  to  examine  an  integrated  strategy  of 
deterrence. 

Examining  Escalation  and  Deterrence. 

With  the  foundation  of  the  simplified  escalation 
ladder,  let  us  apply  it  to  a  broader  view  of  strategic 
warfare  that  includes  conventional  global  strike  and 
cyber  offensive  forces  in  addition  to  nuclear  forces  to 
provide  deterrence  across  domains.  Once  this  is  codi¬ 
fied,  we  can  then  examine  the  roles  of  ACD  in  the  para¬ 
digm.  To  be  clear,  this  is  not  an  examination  of  a  cyber 
escalation  ladder  developed  by  Dunn  Cavelty.130  Nor 
is  it  akin  to  analysis  by  Martin  Libicki  that  downplays 
valuable  lessons  from  the  Cold  War  and  considers 
"cyber  escalation"  largely  in  isolation.131  Rather,  this 
analysis  addresses  a  more  evolutionary  and  holistic 
view  of  modern  deterrence  and  warfare  with  a  scope 
emphasizing  various  forms  of  the  military  instrument 
of  power.  For  the  scope  of  this  monograph,  examples 
of  national  policies  and  doctrines  will  be  drawn  from 
those  of  the  United  States. 
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Types  of  Warfare  and  Factors. 

Conflict  in  the  lower  half  of  the  simplified  lad¬ 
der  involves  the  evolving  forms  of  conventional  and 
irregular  warfare  at  the  theater/ regional  level.  Mili¬ 
tary  forces  are  organized,  trained,  equipped,  and  em¬ 
ployed  in  traditional  domains,  but  they  also  adopt 
activities  in  the  cyberspace  realm  as  an  integral  part 
of  joint  operations.132  The  U.S.  concept  of  globally  in¬ 
tegrated  operations  provides  guidance  and  details  for 
a  force  that  by  2020  can  "quickly  combine  capabilities 
with  itself  and  mission  partners  across  domains,  ech¬ 
elons,  geographic  boundaries,  and  organizational  af¬ 
filiations."133  These  would  incorporate  existing  teams 
from  USCYBERCOM  that  "operate  and  defend  the 
networks  that  support  military  operations  world¬ 
wide"  as  well  as  "support  combatant  commanders 
as  they  execute  military  missions."134  Conflicts  would 
strive  to  protect  national  interests  and  achieve  stabil¬ 
ity  in  the  given  region  with  approaches  that  adhere 
to  internationally  acceptable  norms.  Kinetic  attacks 
would  emphasize  precision  of  targeting  and  delivery 
as  well  as  predictable  results  that  are  appropriately 
limited  in  first  order  and  collateral  effects. 

In  the  upper  half  of  the  simplified  model,  conflict 
has  escalated  to  the  point  where  vital  national  inter¬ 
ests  are  threatened,  potentially  to  the  degree  of  exis¬ 
tential  vulnerability.  To  deter  or  confront  such  threats, 
consider  a  military  force  structure  that  adds  protected 
conventional  strategic  strike  and  offensive  cyber  capa¬ 
bilities  to  traditional  nuclear  forces  delivered  by  air¬ 
craft  or  long-range  missiles.  This  concept  developed 
by  the  U.S.  Defense  Science  Board  maintains  the  need 
for  cyber  defense  of  an  overarching  nuclear  capability 
as  well  as  a  portion  of  conventional  global  strike  forc- 
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es  that  are  segmented  from  similar  lower  half  forces 
to  receive  enhanced  cyber  survivability  measures.135 
Akin  to  the  original  Kahn  model,  attacks  will  inten¬ 
sify  to  counterforce  targets  and  then  broaden  to  civil¬ 
ian  infrastructure  toward  a  worst  case  of  being  totally 
indiscriminate.  Conflicts  at  these  degrees  of  escalation 
are  likely  to  operate  outside  of  accepted  international 
norms,  or  perhaps  even  in  ways  where  no  norms  exist. 
Weapon  delivery  precision,  effect  predictability,  and 
collateral  damage  avoidance  become  more  difficult 
due  to  the  increased  intensity  of  operations  as  well 
as  less  important  when  compared  to  the  increasing 
national  stakes. 

The  strategic  war  threshold  between  the  lower  and 
upper  escalation  areas  is  no  longer  limited  to  the  use 
of  nuclear  weapons,  and,  in  fact,  it  is  highly  unlikely 
that  any  limited  nuclear  exchange  would  occur.  Rath¬ 
er,  this  becomes  the  region  where  limited  offensive  cy¬ 
ber  or  conventional  global  strike  may  begin  against  vi¬ 
tal  targets  found  in  the  upper  half.  Such  strikes  could 
have  effects  beyond  the  accepted  proportionality  and 
perfidy  of  those  in  the  limited  conflict,  whether  by  de¬ 
sign  or  by  accident.  Thus,  it  is  crucial  for  forces  to  be 
cautious  in  the  use  of  such  weapons  to  minimize  un¬ 
intended  consequences  that  may  cross  into  the  upper 
half  of  the  ladder. 

Dynamics  of  Conflict. 

In  the  lower  half,  Kahn  notes  there  are  three  main 
ways  to  escalate  a  limited  conflict:  increase  its  inten¬ 
sity;  widen  the  area;  or  compound  the  escalation  by 
attacking  other  actors.  He  offers  an  analogy  for  this 
area's  dynamics  as  being  similar  to  those  of  a  labor 
strike.  In  each  case,  it  is  assumed  that  both  sides  have 
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serious  issues  to  resolve,  sometimes  through  threats 
of  harm,  but  there  is  no  real  desire  to  do  permanent  or 
excessive  damage.  As  with  a  labor  strike,  the  conflict 
may  require  considerable  give-and-take  bargaining  to 
ensure  stability  between  the  parties.136 

In  contrast,  conflict  in  the  upper  half  of  the  ladder 
can  be  likened  to  a  game  of  "chicken,"  a  contest  of 
brinksmanship  that  creates  a  winner  when  the  loser 
loses  their  nerve  (such  as  driving  two  cars  toward 
each  other  to  see  who  will  swerve  to  avoid  a  collision). 
Unfortunately,  in  the  worst  case,  both  parties  are  de¬ 
stroyed  (no  one  swerves),  and  in  the  best  case,  the 
loser  is  humiliated,  leaving  little  chance  for  compro¬ 
mise  or  face  saving  necessary  for  long-term  stability.137 
Thus,  a  strategy  of  deterrence  should  include  widely 
understood  precedents  and  thresholds  to  be  reliable 
for  stability  and  controlled  escalation  that  can  prevent 
a  game  of  chicken  being  played  with  nuclear  weapons. 

Roles  of  Active  Cyber  Defense. 

As  previously  noted,  the  term  ACD  has  no  uni¬ 
versal  definition,  but  it  is  generally  considered  to  in¬ 
clude  proactive  measures  that  may  extend  beyond  the 
particular  network  being  defended.  The  roles  of  ACD 
and  their  relation  to  the  dynamics  of  conflict  and  es¬ 
calation  can  be  illustrated  as  the  ladder  turned  on  its 
side  as  in  Figure  10.  In  the  lower  half  of  conflict,  the 
reality  that  there  will  always  be  minor  cyber  probing 
and  attacks  has  been  accepted  and  planning  guidance 
now  addresses  resiliency  for  operating  in  a  degraded 
network  environment.  For  the  U.S.  military,  the  ACD 
is  a  "synchronized,  real-time  capability  to  discover, 
detect,  analyze,  and  mitigate  threats  and  vulnerabili¬ 
ties"  which  includes  proactive  operations  "at  network 
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speed  by  using  sensors,  software,  and  intelligence  to 
detect  and  stop  malicious  activity  before  it  can  affect 
DoD  networks  and  systems."138 
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Figure  10.  Relation  of  ACD  to  the 
Dynamics  of  Conflict  and  Escalation. 

Ideally,  ACD  applications  are  limited  to  achieve 
the  minimal  effects  necessary  to  defend  the  military 
network.  This  reflects  several  forms  of  national  mo¬ 
tivation;  primarily  contractual  —  working  toward  a 
reasonable  cost/ benefit  balance  — as  well  as  agonis¬ 
tic-functioning  along  the  lines  of  evolving  rules  of 
Internet  governance.  Motivations  may  also  reflect 
familial  norms,  such  as  trying  to  preserve  a  free  and 
open  Internet.  Stylistic  motivations  and  actions  may 
be  a  source  of  friction  in  limited  conflict  since  they  are 
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often  tied  to  national  character  and  culture,  which  can 
vary  greatly  for  cyberspace  issues  among  the  United 
States,  Russia,  China,  North  Korea,  and  others.  Moti¬ 
vations  of  explicit  coercion  are  not  expected  unless  one 
is  willing  to  accept  possible  escalatory  consequences. 

In  military  terms,  any  ACD  actions  that  extend 
beyond  blocking  network  access  points  would  strive 
to  be  precise,  proportional,  and  limited  in  scope.  The 
focus  would  be  to  enhance  joint  operations  of  gen¬ 
eral  purpose  forces  at  the  tactical  and  operation  lev¬ 
els— mainly  intelligence  gathering  and  defenses  that 
operate  under  decentralized  authorities.139  If  kinetic 
attacks  reach  the  level  of  armed  conflict,  then  support¬ 
ing  cyber  operations  should  also  follow  the  tenets  of 
the  Law  of  Armed  Conflict  (e.g.,  necessity,  distinction, 
proportionality).140  As  such  confrontations  occur  in  the 
future,  systems  bargaining  among  nations  may  lead 
to  the  development  of  formal  and  informal  rules  of 
engagement  that  add  stability  and  reduce  the  chance 
for  unintentional  escalation.  Certainly,  nonstate  actors 
can  and  do  operate  in  cyberspace  asymmetrically  and 
outside  of  international  norms,  but  that  is  beyond  the 
scope  of  this  discussion. 

In  the  upper  half  of  Figure  10,  the  goal  is  to  prevent 
conflict  from  escalating  to  a  game  of  chicken  with  nu¬ 
clear  arms.  Of  course,  a  strategy  of  deterrence  requires 
the  capabilities  and  resolve  to  conduct  extreme  vio¬ 
lence  in  order  to  influence  a  potential  adversary  not  to 
pursue  such  a  course  of  action.  If  such  forces  are  used, 
the  concern  for  precision  would  focus  on  effectiveness 
with  decreased  concern  for  limiting  collateral  damage. 
Similarly,  the  criteria  for  distinction  of  purely  military 
targets,  especially  in  the  cyber  realm,  may  be  relaxed 
in  order  to  protect  critical  deterrent  forces. 
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A  prudent  force  structure  in  this  case  is  to  have 
separate  ACD  capabilities  that  are  optimized  to  en¬ 
sure  the  proper  function  of  the  deterrent  forces  — con¬ 
ventional  strike,  cyber  offense,  and  nuclear  strike. 
This  approach  also  makes  sense  from  a  budget  and 
resource  perspective  since  the  expense  in  adding  ad¬ 
ditional  protection,  survival,  and  resilience  measures 
would  be  confined  to  the  critical  portion  of  strategic 
ACD.  Operations  at  this  level  would  require  "fires" 
authority  that  "should  reside  at  the  highest  levels  of 
government"  with  no  decentralization.141  This  is  con¬ 
sistent  with  traditional  nuclear  operations  concept 
of  execution  direction  being  provided  by  a  limited 
number  of  national  command  authorities.  The  na¬ 
tional  motivation  leans  heavily  toward  coercion  after 
diplomatic  efforts  become  increasingly  strained  and 
ineffective.142 

Clearly,  the  threshold  area  is  a  critical  transition 
from  regionally  limited  conflict  that  largely  conforms 
to  international  standards  to  a  much  riskier  engage¬ 
ment  that  can  escalate  to  existential  stakes.  In  this 
area,  kinetic  activity  has  reached  the  levels  of  armed 
attack  or  perhaps  armed  conflict,  and  belligerent  cy¬ 
ber  activity  has  gone  from  minor  probing  and  isolat¬ 
ed  intrusions  to  more  complex  and  pervasive  attacks. 
Criteria  discussed  in  the  Tallinn  Manual  can  help  as¬ 
sess  its  international  legal  implications,143  but  if  the 
state-sponsored  attacks  begin  against  such  targets  as 
banks  and  power  grids,  the  intensity  and  stakes  move 
toward  the  upper  half.  While  military  ACD  will  still  be 
operating  at  the  tactical  and  operational  levels,  there 
needs  to  be  additional  measures  of  ACD  extending  to 
help  protect  against  attacks  on  civilian  and  infrastruc¬ 
ture  targets.  Chairman  of  the  U.S.  Joint  Chiefs  Gener¬ 
al  Martin  Dempsey  recently  noted  about  such  cyber 


47 


aggression:  "It's  not  just  an  inconvenience,  if  we  lost 
critical  infrastructure  on  the  east  coast  for  a  period  of 
time,  people's  lives  would  be  lost."  The  ACD  required 
to  protect  cyber  targets  outside  of  military  networks 
would  be  broader  in  scope  and  require  interagency 
consultation,  cooperation,  and  resources.144  Potential 
ACD  actions  by  citizens  and  private  industry  touch 
on  many  unresolved  controversies  that  merit  further 
discussion. 

Table  2  summarizes  the  types  of  forces  expected  at 
each  area  of  the  simplified  model;  ACD  is  considered 
as  a  subset  of  cyber  forces.  Allied  and  coalition  mili¬ 
tary  forces  would  also  be  present  at  each  level  and  the 
added  complexity  of  their  operations  merits  more  de¬ 
tailed  analysis  beyond  this  monograph.  Circumstanc¬ 
es  will  dictate  where  activity  begins  along  the  escala¬ 
tion  ladder;  it  need  not  begin  at  the  lowest  point.  Any 
ensuing  escalation  need  not  be  sequential  or  linear  in 
its  progression.  Kahn  offered  several  criteria  to  con¬ 
sider  for  measuring  the  degree  of  escalation  possible 
in  any  particular  time  which  in  turn  can  indicate  the 
scope  of  ACD  required.145  First,  one  must  examine  the 
current  scale,  scope,  and  intensity  of  violence  of  the 
conflict  as  well  as  the  resolve  (or  recklessness)  demon¬ 
strated.  Next,  one  should  assess  if  any  actual  damage 
has  been  done.  What  is  the  apparent  closeness  to  war 
moving  to  the  upper  half  of  the  ladder?  Evaluating  the 
stability  of  the  conflict  is  important  to  determine  the 
likelihood  of  eruptions  or  spikes  in  attacks  that  could 
fuel  escalation.  This  would  include  evaluating  what 
provocation  has  occurred  and  what  precedents  have 
been  broken  as  well  as  what  threats  has  been  intended 
or  perceived. 
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voe  of  Military  Forces 

Escalation  Ladder 

Conventional 

Cyber 

Nuclear 

Area 

Forces 

Forces 

Forces 

Upper  Half 

(Existential  Conflict) 

-  Segmented  from  general 

forces 

-  Precise  Effects 

-  Collateral  damage  more 

acceptable 

-  ACD  focused  on 
protecting  deterrence 

-  Triggers  and  activity 
authorized  by  highest 

national  command 

-  Cyber  offense  used 

-  Full  alert  for  use 

-  Aircraft  &  missile 

delivery 

-  Weapons  of  last 
resort  authorized 

by  highest  national 
command 

Strategic  Warfare 
Threshold 

-  Continued  theater  level 
conflict 

-  Support  of  other  agencies 
and  departments 

-  Whole-of-govern- 
ment  operations 

-  ACD  help  support 
defense  of  national 
infrastructure 

-  Not  used 

-  Readiness  increased 

Lower  Half 

(Theater  /  Regional 
Conflicts) 

-  General  purpose  forces 
in  all  domains 

-  Precise  delivery  and  effects 

-  Minimize  collateral  damage 

-  ACD  at  network 
bounds 

-  Limited  ACD  beyond 
network 

-  Military  command 
(delegated  authority) 

-  Not  used 

-  Readiness  maintained 

Table  2.  Use  of  Military  Forces  in 
Simplified  Escalation  Ladder  Areas. 

Active  Cyber  Defense  and  Deterrence. 

Since  an  expanded  deterrent  capability  with  surviv¬ 
ability  enhanced  by  ACD  measures  plays  an  essential 
role  in  controlling  conflict  escalation,  there  is  merit  in 
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a  more  detailed  review  of  an  implementation  concept 
possible  for  U.S.  forces.  Figure  11  depicts  a  concep¬ 
tual  design  for  ACD  interfaces  supporting  deterrence 
operations  in  the  upper  half  of  the  escalation  ladder. 
The  ACD  activities  would  operate  in  two  modes:  an 
automatic  mode  with  triggers  based  on  a  priori  crite¬ 
ria  established  and  updated  by  command  authorities 
and  a  manual  mode  that  requires  command  author¬ 
ity  direction  for  execution.  Situational  awareness  is 
maintained  through  information  provided  by  strate¬ 
gic  intelligence  sources  as  well  as  tactical  and  opera¬ 
tional  indications  and  warnings.  Results  from  ACD 
actions  —  cyber  battle  damage  assessment  —  are  pro¬ 
vided  as  feedback.  Decisionmaking  by  national  com¬ 
mand  authorities  can  be  supported  by  artificial  intel¬ 
ligence  systems  that  can  develop  and  assess  courses  of 
action,  perhaps  leveraging  advanced  "mindreading" 
designs  that  can  rapidly  perform  modeling,  simula¬ 
tion,  and  prediction  reflecting  fifth-order  beliefs.146 


Figure  11.  Details  of  ACD  in  Deterrence 
Operations. 
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The  ACD  system  would  provide  continuous  au¬ 
tomated  protection  for  the  deterrence  strike  forces 
shown  as  well  as  the  command  and  control  systems  of 
the  command  authorities.  The  first  line  of  kinetic  de¬ 
terrent  forces  would  be  conventional  global  strike  forc¬ 
es  that  are  always  segmented  from  general  purpose 
forces  — thus  no  dual  purpose  missions  are  allowed 
for  these  forces  in  limited  conflict.  These  would  be  of 
sufficient  quantity  for  anticipated  threats,  perhaps  as 
few  as  20  long-range  aircraft  plus  long-range  missiles. 
The  ultimate  deterrent  remains  nuclear  forces,  which 
would  continue  to  be  a  mix  of  weapons  delivered  by 
aircraft  and  land-  and  sea-based  ballistic  missiles  in 
numbers  that  reflect  continuing  arms  reduction.147 

The  specific  roles  of  offensive  cyber  strike  forces 
are  currently  ambiguous  and  activities  may  overlap 
between  ACD  that  assertively  negates  cyber  attacks 
against  deterrence  forces  and  offensive  cyber  attacks 
for  counterforce  operations.  The  2011  U.S.  Internation¬ 
al  Strategy  for  Cyberspace  includes  a  declaratory  state¬ 
ment  that  supports  its  inherent  right  to  self-defense 
and  deterrence:  "When  warranted,  the  United  States 
will  respond  to  hostile  acts  in  cyberspace  as  we  would 
to  any  other  threat  to  our  country."  It  goes  on  to  state 
that  such  response  may  "use  all  necessary  means  — 
diplomatic,  informational,  military,  and  economic  —  as 
appropriate  and  consistent  with  international  law."148 
Healey  and  Wilson  examined  cyber  offensive  actions 
and  their  approximate  physical  world  equivalent  and 
how  existing  executive  and  legislative  provisions  may 
apply  to  them.149  A  recent  study  by  The  Defence  Acad¬ 
emy  of  the  UK  cautions  that  "online  weapons  may  be 
unreliable  or  uncertain  in  their  effects"  and  that  such 
weapons  "coupled  with  an  explicit  policy  of  conven¬ 
tional  military  kinetic  retaliation  risks  rapid  escalation 
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of  real-world  war."150  Other  respected  theorists  such 
as  Colin  Gray  are  more  conservative  in  their  assess¬ 
ments,  offering  that  "cyber  offense  usually  is  likely  to 
achieve  some  success,"  but  that  "the  harm  we  suffer 
is  most  unlikely  to  be  close  to  lethally  damaging;" 
concluding  that  "it  is  clear  enough  today  that  the  sky 
is  not  falling  because  of  the  cyber  peril."151  Clearly, 
the  topic  of  integrating  cyber  offensive  into  strategic 
operations  requires  further  extensive  study. 

Deterrence  Effectiveness. 

Perhaps  some  Cold  War  lessons  learned  can  serve 
as  a  "litmus  test"  for  an  updated  deterrence  strategy 
incorporating  ACD  and  cyber  offence.  Richard  Kugler 
posits  that  U.S.  nuclear  deterrence  worked  because  it 
was  credible;  it  was  conducted  in  the  context  of  po¬ 
litical  dynamics;  it  denied  the  Soviet  Union  any  fa¬ 
vorable  prospects  from  aggression;  it  favored  devel¬ 
opment  of  flexible  options;  and  it  minimized  the  risk 
of  unwanted  escalation.152  Incorporating  ACD  into 
deterrence  improves  credibility  by  enhancing  deter¬ 
rence  force  capabilities  and  survival.  Also,  having  a 
declaratory  statement  from  the  country's  executive  in 
an  official  public  document  demonstrates  resolve  and 
legality.  As  Eric  Jensen  noted,  "while  this  statement 
was  controversial  when  made,  there  is  no  doubt  of  its 
legality."153  The  updated  escalation  ladder  adds  per¬ 
spective  on  how  to  view  ACD  and  other  cyber  sup¬ 
port  of  operations  not  in  isolation,  but  in  the  context 
of  all  elements  of  national  power.  Admittedly,  this 
section  has  viewed  these  issues  from  the  perspective 
of  the  United  States,  which  implicitly  includes  mutual 
military  commitments  with  allies;  further  discussion 
should  examine  this  more  explicitly.  Having  a  three- 
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pronged  deterrence  force  protected  by  ACD  strives  to 
influence  an  adversary's  decisionmaking  by  not  only 
denying  benefits,  but  also  by  imposing  costs  and  in¬ 
ducing  restraint.  Implementing  such  a  cross-domain 
framework  "would  contribute  to  more  effective  deter¬ 
rence  and  crisis  management."154  By  design,  this  cross¬ 
domain  force  provides  national  command  authorities 
with  flexible  options  that  are  beyond  nuclear-only  in 
case  of  extreme  escalation.155  In  theory,  while  having 
more  options  below  the  nuclear  level  may  reduce  the 
chance  of  reaching  the  ultimate  limit  of  war,  there  is 
no  guarantee  that  it  would  minimize  the  risk  of  un¬ 
wanted  escalation  below  that  threshold. 

RECOMMENDATIONS 

This  monograph  examines  the  past  and  present 
of  joint  and  Army  cyberspace  military  operations  as 
well  as  how  these  operations  may  fit  into  the  complex 
and  dynamic  sphere  of  international  deterrence  and 
escalation.  To  facilitate  the  best  evolutionary  path  for 
future  activities  it  recommends  the  following  actions 
be  considered. 

Current  Military  Cyberspace  Priorities. 

The  five  command  priorities  set  forth  by  General 
Alexander  and  carried  forward  by  Admiral  Rogers 
seem  appropriate  for  the  current  evolution  of  US- 
CYBERCOM  and  progress  on  them  continues  at  a 
steady  pace.  However,  some  of  the  successes  in  opera¬ 
tionalizing  cyberspace  are  hidden  behind  question¬ 
able  classification  decisions.  Specifically,  it  is  difficult 
to  comprehend  why  the  inaugural  version  of  JP  3-12 
was  issued  as  a  secret  document  instead  of  an  unclas- 
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sified  document  with  a  classified  annex.  This  unneces¬ 
sary  occlusion  of  basic  doctrinal  tenets  (such  as  those 
in  FM  3-38)  greatly  hampers  both  U.S.  and  allied  plan¬ 
ners  and  military  educators.  This  is  particularly  ironic 
when  one  considers  that  the  former  manifestation  of 
JP  3-12  was  as  Doctrine  for  Joint  Nuclear  Operations,  a 
document  that  was  somehow  kept  unclassified.  As 
cyberspace  doctrinal  information  is  incorporated  in 
updates  of  capstone  documents  (e.g.,  JPs  3-0  and  5-0 
[ Joint  Operation  Planning]),  the  developers  should  con¬ 
sider  adding  a  concise  cyberspace  annex  that  serves 
as  a  primer  for  cyberspace  domain  considerations. 
Military  and  national  cyberspace  activities  writ  large 
would  benefit  greatly  if  dedicated  cyberspace  theory 
development  was  promulgated  that  includes  explo¬ 
ration  beyond  the  domain  definition  of  cyberspace. 
All  of  these  recommendations  could  be  supported 
by  efforts  at  the  Army's  fledgling  Cyber  Center  of 
Excellence. 

Authorities. 

Determining  the  appropriate  authorities  involved 
with  decisionmaking  and  cyberspace  operations,  such 
as  ACD  actions,  through  the  escalation  ladder  will  con¬ 
tinue  to  be  a  challenging  and  evolving  issue.  Military 
forces  are  developing  doctrine  and  force  structures 
to  incorporate  existing  cyber  related  forces  as  well  as 
newly  defined  positions.  Ideally,  these  are  tested,  re¬ 
fined,  and  validated  in  exercise  situations  before  full 
employment.  However,  as  conflict  escalates,  so  does 
the  need  to  coordinate  military  operations  with  other 
powers  of  government  as  well  as  with  allies  and  in¬ 
ternational  governance  bodies.  Potential  ACD  actions 
by  citizens  and  private  industry  and  their  impact  on 
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the  conflict  environment  also  have  responsibility  and 
legitimacy  issues  that  cannot  be  ignored.  At  the  high- 
stakes  end  of  operations,  one  of  the  greatest  challeng¬ 
es  is  determining  ways  of  applying  and  updating  the 
a  priori  authorities  for  ACD  protecting  deterrence  forc¬ 
es.  Jensen  offers  a  detailed  and  nuanced  assessment  of 
legal  issues  related  to  cyber  deterrence.156 

Strategic  Communication. 

As  work  progresses  toward  better  definition  of  cy¬ 
berspace  force  roles  based  on  context  and  dynamics 
of  escalation  framework,  this  must  include  strategic 
communication.  These  are  planned  and  coordinated 
activities  to  provide  the  actions,  images,  and  words 
necessary  to  help  make  the  modified  deterrence  effec¬ 
tive  in  the  ways  intended.  Manzo  notes  that: 

cultural  differences,  contrasting  strategic  objectives, 
differing  strengths  and  vulnerabilities  can  cause  deci¬ 
sionmakers  in  the  United  States  and  other  countries  to 
reach  different  conclusions  about  proportionality  and 
escalation.157 

Efforts  to  overcome  such  differences  could  lever¬ 
age  studies  like  Melissa  Hathaway's  recent  develop¬ 
ment  of  a  Cyber  Readiness  Index,  which  examines 
the  maturity  and  commitment  for  cybersecurity  by 
35  countries,  including  those  that  had  formally  estab¬ 
lished  national  strategies  and  competent  authorities, 
mostly  in  nonmilitary  areas.158  Also,  the  publication 
of  an  unclassified  version  of  JP  3-12  would  contribute 
to  the  international  understanding  and  commitment 
of  U.S.  cyberspace  forces.  All  of  these  activities  would 
support  strategic  engagement  —  the  socio-political 
support  for  cyberspace  operations  —  as  the  second  di¬ 
mension  of  full  spectrum  operations.159 
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Multi-Role  Modeling. 

Creating  a  realistic  model  for  cyberspace  force 
roles  in  escalation  and  deterrence  requires  a  holistic 
consideration  of  environmental  influences.  As  Ronald 
Deibert  notes,  "Securing  cyberspace  requires  rein¬ 
forcement  of  restraint  on  power,  including  checks  and 
balances  on  governments,  law  enforcement  and  intel¬ 
ligence  agencies."160  The  first  dimension  of  full  spec¬ 
trum  operations  involves  the  psychological  contest  of 
wills.161  The  Kahn  ladder  was  never  envisioned  for  ap¬ 
plication  beyond  modeling  interactions  between  two 
nations.  To  portray  our  multipolar  world  more  accu¬ 
rately,  models  need  to  not  only  consider  interactions 
between  multiple  nations,  but  also  that  the  "policies 
to  deter  one  type  of  adversary  may  differ  from  those 
needed  to  deter  another  adversary,  with  varying  de¬ 
grees  of  soft  and  hard  rhetoric  or  of  positive  incentives 
and  punishing  responses."162  The  model  should  also 
include  the  dynamic  of  groups  of  nations,  especially 
those  in  formal  alliances  such  as  the  North  Atlantic 
Treaty  Organization  (NATO).  Finally,  the  activity  of 
individuals  and  nonstate  actors  groups  — some  op¬ 
erating  within  accepted  international  norms,  some 
not  — can  present  asymmetric  challenges  and  poten¬ 
tial  threats  to  the  dealings  amongst  nations  and  thus 
should  be  included  in  the  multi-role  models. 

Other  Paradigms  and  Factors. 

In  addition  to  considering  Cold  War  models  such 
as  the  Kahn  ladder,  Sean  Lawson  also  examined  other 
metaphors  as  frameworks  for  analyzing  cyberspace  ac¬ 
tivities  related  to  strategic  deterrence.  He  posits  there 
are  similarities  between  insurgency  or  biological  war- 
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fare  and  cyber  crime  and  espionage.163  Paradigms  are 
needed  to  model  cyber  activity  outside  of  designated 
military  networks;  these  could  help  better  define  the 
threshold  separating  ACD  that  negates  cyber  attacks 
against  deterrence  forces  from  offensive  cyber  attacks 
for  counterforce  operations.  Finally,  the  longer-term 
dynamics  of  de-escalation  and  counter-proliferation 
measures,  such  as  potential  arms  control  in  cyber¬ 
space,  introduce  valuable  methods  for  achieving  and 
maintaining  a  more  stable  international  environment 
in  all  domains. 164 

CONCLUDING  REMARKS 

Military  cyberspace  operations  have  been  ongo¬ 
ing  since  before  the  advent  of  the  Internet.  Such  op¬ 
erations  have  evolved  significantly  over  the  past  2 
decades  and  are  just  now  emerging  into  the  realm  of 
military  operations  in  the  traditional  domains  of  land, 
sea,  and  air.  To  facilitate  the  operationalization  of  this 
new  domain,  education  of  the  tenets  of  cyberspace 
must  occur  at  the  tactical,  operational,  and  strategic 
levels  of  leadership.  More  importantly,  the  deliberate 
pursuit  of  understanding  the  full  scope  of  cyberspace 
beyond  that  of  a  mere  domain  is  essential  for  provid¬ 
ing  a  theoretical  foundation  for  current  and  future  op¬ 
erations.  Also  in  this  regard,  the  development  of  such 
fundamental  theory  should  look  forward  to  embrace 
potentially  radical  manifestations  of  cyberspace  in  the 
future  as  well  as  looking  back  at  its  history. 

The  persistent  increase  of  cyberspace  activities  in 
global  events  continues  to  make  international  dynam¬ 
ics  more  complex.  The  scope  of  context  for  such  matters 
needs  to  consider  not  just  other  military  efforts  or  even 
other  instruments  of  national  power,  but  how  they  are 
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presented  in  an  escalation  framework  and  where  they 
may  be  going.  A  modified  Kahn  escalation  ladder  is 
a  useful  metaphor  to  explore  how  cyberspace  activi¬ 
ties  may  integrate  with  traditional  military  operations 
across  the  spectrum  of  international  conflict  as  well  as 
how  such  defenses  influence  national  responses  relat¬ 
ed  to  deterrence  and  escalation.  Expanding  deterrence 
forces  to  include  conventional  strike  and  cyber  offense 
can  add  capability  and  credibility  as  well  as  flexibility 
to  course-of-action  development  available  for  nation¬ 
al  command  authorities.  Cyberspace  operations  such 
as  automated  cyber  defense  can  support  and  enhance 
deterrence  operations  and  limited  conflict  as  well  as 
help  control  escalation  and  reduce  risk. 
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APPENDIX 


The  following  diagram  is  taken  from  Chapter  IV 
of  JP  3~12(R),  Cyberspace  Operations,  that  was  declassi¬ 
fied  and  posted  for  public  access  on  October  21,  2014. 
It  depicts  typical  military  cyberspace  command  and 
control  structures  for  steady-state  and  contingency 
operations.  Note  that  the  organization  listed  as  "USS- 
RATCOM"  in  the  upper  left  corner  of  the  figure  is  a 
typographic  error  for  "USSTRATCOM." 


Cyberspace  Command  and  Control  Organizational  Construct 


•Representational  of  JCC's  relationship  with  DISA's  sub-element 


Legend 

ADCON  administrative  control 
AFCY  Air  Forces  Cyber  Command 
ARCY  Army  Cyber  Command 
CCDR  combatant  commander 
CCMD  combatant  command 
COCOM  combatant  command  (command  authority) 
DIA  Defense  Intelligence  Agency 
DISA  Defense  Information  Systems  Agency 
DNC  DISA  network  center 
FLTCY  Fleet  Cyber  Command 
JCC  joint  cyberspace  center 
MAR4CY  Marine  Corps  Forces  Cyberspace 
Command 

NGA  National  Geospatial-Intelligence  Agency 
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NSA  National  Security  Agency 
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Figure  A-l.  Cyberspace  Command  and  Control 
Organizational  Construct. 
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